|
Posted by Mark Gamache on September 15, 2005, 4:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Your design looks solid. Make sure to consider your root CRL publication
interval, AIA and CRL locations before you get going.
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
>I am going down the path of designing a PKI.
>
> Initially it will be used to provide SSL for OWA and Citrix but will be
> used for secure logon to AD in the future.
>
> The architecture I have come up with after some reading is to install a
> Stand-Alone Root CA, publish the CRL and Root Certificate to AD, then
> install an Enterprise Subordinate Issuing CA to provide the secure AD
> function for the internal users. The Stand-Alone Root would then be
> secured off the network.
>
> I would then have another Stand-Alone CA in the DMZ to provide the
> certificates for SSL and any future VPN requirements from external
> parties.
>
> Does this sound reasonable to the CA knowledgeables out there? Also I
> had intended for the DMZ CA to be another Stand-Alone Root but have
> read articles stating that this could also be a subordinate Stand-Alone
> CA.
>
> TIA,
> R.
>
| 
XML site map