Stand-alone vs Enterprise subordinate CA?

Stand-alone vs Enterprise subordinate CA?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Stand-alone vs Enterprise subordinate CA? Marlon Brown 03-09-2007
Posted by Marlon Brown on March 9, 2007, 12:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am setting up a 2 tier PK infrastructure, Win2003 Ent.

Offlline root CA is already configured. On my offline root ca server. On AIA
I informed a \publicserver\shared\myucert.crt - OK. I put the cert out of
the OffLineRootServer because I understand such server should remain shut
down for the most part.

Next step on the Windows 2003 PKI checklist is:

"Install subordinate certification authorities, as required by your planned
certification hierarchy. These can be stand-alone certification authorities,
or if you are using Active Directory, enterprise certification
authorities...".

Since my "OnlineCAserver" is joined to AD, should I pick the "stand-alone
subordinate" or "enterprise subordinate certification authority".

Sorry if that is a stupid question.




Posted by Brian Komar [MVP] on March 9, 2007, 7:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Inline

MarlonBrown@discussions.microsoft.com says...
> I am setting up a 2 tier PK infrastructure, Win2003 Ent.
>
> Offlline root CA is already configured. On my offline root ca server. On AIA
> I informed a \publicserver\shared\myucert.crt - OK. I put the cert out of
> the OffLineRootServer because I understand such server should remain shut
> down for the most part.
>

I would personally never post an CA certificate to a UNC name (even
though supported). Consider changing to LDAP and HTTP locations. the
Best Practices whitepaper provides guidance on this
(www.microsoft.com/pki)

> Next step on the Windows 2003 PKI checklist is:
>
> "Install subordinate certification authorities, as required by your planned
> certification hierarchy. These can be stand-alone certification authorities,
> or if you are using Active Directory, enterprise certification
> authorities...".

You would want an enterprise CA. To take full advantage of the CA
offering, ensure that you install on Windows Server 2003, Enterprise
Edition, not standard edition.

>
> Since my "OnlineCAserver" is joined to AD, should I pick the "stand-alone
> subordinate" or "enterprise subordinate certification authority".
>
> Sorry if that is a stupid question.
>
>
>
> Brian

Posted by NovaSecure on April 2, 2007, 4:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Most likely you want to chose the Enterprise Subordinate Certificate
Authority.

"Enterprise" means that the Certificate Authority will use the user and
computer account information in Active Directory to automatically
authenticate users and computers, and issue certificates.

If you chose "stand-alone" you there will be no bridge between your
Active Directory and Certificate Server at all.

best regards,
www.novasecure.no
kare [AT] novasecure [DOT] no


Marlon Brown skrev:
> I am setting up a 2 tier PK infrastructure, Win2003 Ent.
>
> Offlline root CA is already configured. On my offline root ca server. On AIA
> I informed a \publicserver\shared\myucert.crt - OK. I put the cert out of
> the OffLineRootServer because I understand such server should remain shut
> down for the most part.
>
> Next step on the Windows 2003 PKI checklist is:
>
> "Install subordinate certification authorities, as required by your planned
> certification hierarchy. These can be stand-alone certification authorities,
> or if you are using Active Directory, enterprise certification
> authorities...".
>
> Since my "OnlineCAserver" is joined to AD, should I pick the "stand-alone
> subordinate" or "enterprise subordinate certification authority".
>
> Sorry if that is a stupid question.
>
>
>

Similar ThreadsPosted
Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs March 19, 2008, 1:45 am
Standalone/ Enterprise CA issue October 18, 2005, 2:52 am
Question on Enterprise Subordinate CA configuration April 2, 2007, 12:21 pm
Standalone vs Enterprise root CA security. April 8, 2008, 8:13 pm
CAs: Enterprise root on parent domain, subordinate on child domain March 20, 2008, 10:28 am
Standalone Root- Standalone Sub September 13, 2005, 3:43 pm
Upgrading to Windows 2003 Enterprise Edition Enterprise CA October 18, 2005, 4:59 am
root ca/subordinate ca October 3, 2007, 9:11 am
Standalone CA's and CRL August 27, 2008, 9:10 pm
subordinate ent CAs don't publish certs to AD after Win 2k3 SP1 July 23, 2005, 1:00 pm

The site map in XML format XML site map

Contact Us | Privacy Policy