SCEP implementation

SCEP implementation
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
SCEP implementation Neil 07-17-2008
---> Re: SCEP implementation Paul Adare - MV...07-17-2008
Posted by =?Utf-8?B?TmVpbA==?= on July 17, 2008, 12:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
We have developed our Microsoft Server 2003 R2 PKI to issue certificates to
Windows devices and to Cisco routers. The current configuration is a single
Standalone Root CA which has been used to authenticate an Enterprise
Subordinate CA and a Standalone Subordinate CA with SCEP. The Standalone
root CA has then been taken off-line.



Our Windows devices are issued certificates from the Enterprise Subordinate
CA and our Cisco routers are issued certificates from the Standalone CA with
SCEP. We have a backup site configured with Enterprise Subordinates and
Standalone subordinates also.



We are looking at consolidating this deployment by removing the standalone
CA with SCEP and installing SCEP on our Enterprise Subordinate CA? This will
result in all windows devices and Cisco devices being issued certificates
from the one Enterprise subordinate CA.



My question is: Are there any known problems, security, maintenance or
operational issues with this approach?


Posted by Paul Adare - MVP on July 17, 2008, 5:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Wed, 16 Jul 2008 21:30:00 -0700, Neil wrote:

> My question is: Are there any known problems, security, maintenance or
> operational issues with this approach?

Nope.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
On line: A statement shouted at tennis judges in response to serves being
called out.

Posted by =?Utf-8?B?TmVpbA==?= on July 20, 2008, 7:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Paul
thanks for the response.

On the SCEP download page there are the following quotes,
http://www.microsoft.com/downloads/details.aspx?familyid=9f306763-d036-41d8-8860-1636411b2d01&displaylang=en

"When using a standalone CA, the CA should be in a separate certification
hierarchy from all other CAs in your organization. This helps prevent any
unintended trust of SCEP clients."

"When using a standalone CA with SCEP as a separate certification hierarchy,
the root CA's certificate and chain should not be trusted by other clients in
the enterprise. In this configuration, the SCEP-oriented PKI is only intended
for trust by intermediate network devices that use SCEP."

So if I use an enterprise CA for SCEP does that remove the need for having a
seperate certification hierarchy?
If someone could please elaborate on why Microsoft have suggested a
standalone SCEP CA should be in a seperate PKI hierarchy.
Thanks

"Paul Adare - MVP" wrote:

> On Wed, 16 Jul 2008 21:30:00 -0700, Neil wrote:
>
> > My question is: Are there any known problems, security, maintenance or
> > operational issues with this approach?
>
> Nope.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> On line: A statement shouted at tennis judges in response to serves being
> called out.
>

Similar ThreadsPosted
SCEP using different template March 13, 2006, 8:37 am
IPsec Implementation July 29, 2005, 11:11 am
Good book for PKI implementation November 6, 2006, 10:44 am
W2K3 3-tier CA Implementation November 10, 2006, 8:28 am

The site map in XML format XML site map

Contact Us | Privacy Policy