Public Key Infrastructure

Public Key Infrastructure
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Public Key Infrastructure Rhyd911 09-12-2005
Posted by on September 12, 2005, 2:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am going down the path of designing a PKI.

Initially it will be used to provide SSL for OWA and Citrix but will be
used for secure logon to AD in the future.

The architecture I have come up with after some reading is to install a
Stand-Alone Root CA, publish the CRL and Root Certificate to AD, then
install an Enterprise Subordinate Issuing CA to provide the secure AD
function for the internal users. The Stand-Alone Root would then be
secured off the network.

I would then have another Stand-Alone CA in the DMZ to provide the
certificates for SSL and any future VPN requirements from external
parties.

Does this sound reasonable to the CA knowledgeables out there? Also I
had intended for the DMZ CA to be another Stand-Alone Root but have
read articles stating that this could also be a subordinate Stand-Alone
CA.

TIA,
R.


Posted by Mark Gamache on September 15, 2005, 4:38 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Your design looks solid. Make sure to consider your root CRL publication
interval, AIA and CRL locations before you get going.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



>I am going down the path of designing a PKI.
>
> Initially it will be used to provide SSL for OWA and Citrix but will be
> used for secure logon to AD in the future.
>
> The architecture I have come up with after some reading is to install a
> Stand-Alone Root CA, publish the CRL and Root Certificate to AD, then
> install an Enterprise Subordinate Issuing CA to provide the secure AD
> function for the internal users. The Stand-Alone Root would then be
> secured off the network.
>
> I would then have another Stand-Alone CA in the DMZ to provide the
> certificates for SSL and any future VPN requirements from external
> parties.
>
> Does this sound reasonable to the CA knowledgeables out there? Also I
> had intended for the DMZ CA to be another Stand-Alone Root but have
> read articles stating that this could also be a subordinate Stand-Alone
> CA.
>
> TIA,
> R.
>



Similar ThreadsPosted
US-Cert Update on New Attacks on Computer Infrastructure August 28, 2008, 8:12 am
S/MIME Certificate renewal in W2K3 - EX2K3 infrastructure October 6, 2008, 2:13 am
Microsoft Executive Circle Webcast: Security360 with Mike Nash: Building a Secure, Connected Infrastructure with Digital Certificates April 18, 2006, 7:25 am
FYI - Windows Update agent (client) infrastructure update coming soon July 3, 2008, 6:57 pm
Using MS CA as public CA March 31, 2007, 11:23 am
Public - Private key June 28, 2007, 11:46 am
ISA Public network October 18, 2009, 4:40 am
Public Addresses Used Internally September 2, 2006, 5:20 pm
public xp media edition February 20, 2007, 8:47 am
public and private cert January 8, 2008, 12:05 am

The site map in XML format XML site map

Contact Us | Privacy Policy