using certs in non-domain environments:

using certs in non-domain environments:
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
using certs in non-domain environments: Kristin Griffin 01-23-2008
Posted by Kristin Griffin on January 23, 2008, 10:40 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi there.

I have been learning about PKI and AD CS. And there is alot of material
about using active Directory to hand out certs.
But what if you were in a non-domain environment. How would 2 companies use
each other's certs? Let's say that company A and company B each had AD CS
running on standalone machines. Let's say they each were part of a
workgroup instead of a domain.

In order to use each other's certts, would they need to manually exchange
certs, put them each other's cert store, and also exchange the Root CA cert
and put that in the certificate store (in two places I think)?

Or am I thinking about this all wrong?

Thanks for your help.

Kristin



Posted by Paul Adare on January 24, 2008, 5:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Wed, 23 Jan 2008 19:40:52 -0800, Kristin Griffin wrote:

> I have been learning about PKI and AD CS. And there is alot of material
> about using active Directory to hand out certs.
> But what if you were in a non-domain environment. How would 2 companies use
> each other's certs? Let's say that company A and company B each had AD CS
> running on standalone machines. Let's say they each were part of a
> workgroup instead of a domain.
>
> In order to use each other's certts, would they need to manually exchange
> certs, put them each other's cert store, and also exchange the Root CA cert
> and put that in the certificate store (in two places I think)?

They would need to install each other's root CA certificate in all
computers in their org that needed to trust both their own root, and the
other org's root. The installation of the root certs should be done with a
local administrator account on each computer so that all users of the
computers would trust both their own root and the other org's root.
I don't know what you mean by "in two places I think".
Keep in mind that by doing this each org would trust *every* certificate
issued by the other org.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
You might have mail.

Posted by Brian Komar on January 24, 2008, 5:39 am
If you were  Registered and logged in, you could reply and use other advanced thread options
The best answer would be to use Cross-Certification with qualified
subordination constraints.
The two companies would cross-certify each other's CA hierarchies and define
explictly what form(s) of certificates are trusted from the other PKI.
Putting the other organization's certificates into your organization's
trusted root store provides complete and utter trust (may not be desired).
Now, if this is a merger or part of an umbrella group, it could be desired.

See my whitepaper on this at www.microsoft.com/pki
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx

As for non-domain environments....
No easy answer here. Typically, you are looking at generating certificate
requests (often referred to as CSRs) and then submit the CSRs to CAs.
Another option is to deploy standalone CAs to the non-domain environment,
and issue certificates based on the content of the certificate request,
rather than using certificate templates.

Brian

> Hi there.
>
> I have been learning about PKI and AD CS. And there is alot of material
> about using active Directory to hand out certs.
> But what if you were in a non-domain environment. How would 2 companies
> use each other's certs? Let's say that company A and company B each had AD
> CS running on standalone machines. Let's say they each were part of a
> workgroup instead of a domain.
>
> In order to use each other's certts, would they need to manually exchange
> certs, put them each other's cert store, and also exchange the Root CA
> cert and put that in the certificate store (in two places I think)?
>
> Or am I thinking about this all wrong?
>
> Thanks for your help.
>
> Kristin
>


Posted by =?Utf-8?B?S3Jpc3RpbiBMLiBHcmlm on January 24, 2008, 1:19 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Paul,
Thanks for the reply. What I meant by "two places I think" was that you
need to put the root CA cert of the other company you want to trust into two
places in your certificate store. I think you have to put them in "Trusted
Root Certificate Authorities", but also in "Third Party Root Certificate
Authorities". Is that true, or do ou just need to put the rootCA cert in one
place?

Brian, I appreciate your recommendations. I have read your info on
cross-certification in your book and will read your whitepaper shortly. You
said: "issue certificates based on the content of the certificate request,
rather than using certificate templates."

I am afraid you lost me a bit there. Can you explain that in laymans terms?
Thanks alot guys! Cheers, Kristin

"Kristin Griffin" wrote:

> Hi there.
>
> I have been learning about PKI and AD CS. And there is alot of material
> about using active Directory to hand out certs.
> But what if you were in a non-domain environment. How would 2 companies use
> each other's certs? Let's say that company A and company B each had AD CS
> running on standalone machines. Let's say they each were part of a
> workgroup instead of a domain.
>
> In order to use each other's certts, would they need to manually exchange
> certs, put them each other's cert store, and also exchange the Root CA cert
> and put that in the certificate store (in two places I think)?
>
> Or am I thinking about this all wrong?
>
> Thanks for your help.
>
> Kristin
>
>
>

Similar ThreadsPosted
How do I delete my old ca certs... February 19, 2008, 10:45 am
Digital certs June 13, 2008, 11:17 am
subordinate ent CAs don't publish certs to AD after Win 2k3 SP1 July 23, 2005, 1:00 pm
MS-CHAP V2 and server certs November 20, 2006, 9:23 am
Generate Verisign certs for one or two year ? August 9, 2005, 1:08 pm
Trusting Certs from Non Trusted root March 23, 2007, 6:38 pm
Expired Certs (This MUST be basic question) June 25, 2007, 9:15 pm
help understanding private/public certs September 2, 2007, 5:30 pm
standalone CA - cannot use browser to install certs February 1, 2008, 3:41 pm
Certificate Templates and Web Access to Certs August 31, 2008, 8:41 am

The site map in XML format XML site map

Contact Us | Privacy Policy