|
Posted by Brian Komar [MVP] on November 14, 2006, 8:46 am
If you were Registered and logged in, you could reply and use other advanced thread options
EricS@discussions.microsoft.com says...
> I read them ...NOW... three times and since they were not giving me, the=
=20
> customer, the information I required, I was hoping for some polite help t=
o=20
> point me in the correct direction, not a demeaning and belittling comment=
=20
> from a Microsoft Representative.
>=20
First of all, I am not an employee of Microsoft (never have been). This=20
is just me providing free support to help users. Sorry, I cannot get how=20
many times you have read documents, but you seem to be not following the=20
recommendations that are out htere.
> Just one more reason to look elsewhere from both a product and support=20
> standpoint.
>=20
> I got this from a Linx admin:
>=20
> 1. No matter what environment you are in, install a standalone ROOT CA.
I can agree with this.
> 2. No matter what environment you are in, install a standalone subordinat=
e CA
Only if you are doing a three tiered hierarchy
> 3. No matter what environment you are in, install your issuing CA's as=20
> enterprise subordinate CA's, this is where your Active Directory integrat=
ion=20
> happens, based on the standalone subordinate CA.
I agree with issuing CAs being enterprise CAs. I have no idea what the=20
last part of the sentence means.
BTW, I cover a lot of this in my MSPress book. In fact a whole chapter=20
on implementation
>=20
> "Brian Komar [MVP]" wrote:
>=20
> > EricS@discussions.microsoft.com says...
> > > I have been trying to follow all of the best practices and recommenda=
tions=20
> > > for a W2K3 Enterprise CA solution. I have the Root installed, still =
online=20
> > > for right now, and have been trying to get the Intermediate CA that w=
ill be=20
> > > used for policies set up. I would like to follow Microsoft=C3=A2=E2=
=3D3F=AC=3D3Fs lead and use a=20
> > > 10 year, 2040 bit certificate. I have copied the Subordinate Certifi=
cation=20
> > > Authority template and increased it to 10 years, copied the new OID a=
nd=20
> > > description from Intermediate Certification Authority and used both o=
f them=20
> > > in the CAPolicy.inf file in C:\WINDOWS, but I keep getting 2 year=20
> > > certificates.
> > >=20
> > > After resolving, I will need to create Issuing CA certificates from t=
he=20
> > > Policy CA that are 5 years and 2048 bits.
> > >=20
> > > Thanks for ALL of the input.
> > >=20
> > You need to read the Best Practices whitepaper.... now....
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolo=
g
> > ies/security/ws3pkibp.mspx
> >=20
> > 1. How do you intend to change an online CA to an offline CA?
> > 2> Look for two commands:
> > certutil -setreg CA\ValidityPeriodUnits =3D 10
> > certutil -setreg CA\ValidityPeriod =3D "Years"
> > 3. If you are following best practices, a three tiered CA hierarchy has=
=20
> > *standalone* CAs for the root and policy tier. (you have used an=20
> > enterprise root, which you can never disconnect from the network, as it=
=20
> > is a domain member... You do not use a certificate tempalte for the=20
> > subordinate CA unless you are creating a fourth tier (a tier subordinat=
e=20
> > to an enterprise CA).
> >=20
| 
XML site map