Anders, Thank you very much. The news that R2 Standard can be an Enterprise CA issuing V2 certs is very welcome. A two tier solution sounds about right for what I'm doing. I'll need to evaluate if OCSP, NDES and role separation will be required.
Kurt On Fri, May 13, 2011 at 03:58, Anders Blomgren <chanks...@gmail.com> wrote: > Inline > > On Thu, May 12, 2011 at 2:03 AM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> All, >> >> I'm still in the process of learning this PKI stuff, so I can roll out >> DA/UAG. >> >> I picked up a copy of Brian Komar's Windows Server 2008 PKI and >> Certificate Security [1], and in reading it I've come up with a buncha >> (TM) questions. I'm starting on my second time through the book, and >> am also going through the Ben-Ari and Dolan book on DA/UAG, but the >> only thing that book says is that you need a fully functioning PKI >> before doing DA/UAG, and doesn't address what is needed out of that >> infrastructure in any depth at all. >> >> I'm also looking at the lab guides from Microsoft. >> >> >> So, some questions: >> >> o- Is a single-tier PKI infrastructure sufficient for DA/UAG (and >> possibly 802.11 security and other internal use)? One thing I'm >> worried about is cert requests from our overseas offices, and the >> probable need to extend PKI over there, as we're a single >> forest/single domain entity (connected by site-site VPNs), and I'm >> considering the possibility that I'll need a two or even three tier >> solution. We're only about 250 people in the US office, and no more >> than 40 people in either of the overseas offices, if that makes a >> difference. > > > The normal recommendation is an isolated (and physically very secure) root > and one or more tiers of issuing CA's, which can be Enterprise CA's if > that's what you need. Enterprise CA != Enterprise Edition. > Do you forsee the need for issuing CA's in your remote offices? Few things > require an instant cert (notably, health certificates is one of those so if > you're doing NPS with your DA then you need instant certificates) which > means the stability of the site to site VPN shouldn't matter much. > If you cannot guarantee the safety of the offline root then more than one > tier shouldn't matter much unless you have the need for delegation. You can > use secondary tiers to control issuing policies. >> >> o- Will Version 1 X.509 certs be sufficient for DA/UAG and other >> internal purposes? > > Most likely not. You cannot modify V1 templates in any way. Happily, 2008 R2 > lets you work with V2 templates in the standard edition. > >> >> o- Is it still the case with Win2k8 R2 that I will need at least >> Enterprise to issue Version 2 or Version 3 X.509 certs? In working my >> way through the Komar book, I see it stated, on page 263, this: >> >> Important: An Enterprise CA running on the Standard Edition of >> Windows Server 2003 >> or Windows Server 2008 can issue certificates based only on >> version 1 certificate templates. >> This is a common problem encountered by companies because they do >> not realize that the >> Standard edition cannot issue version 2 or version 3 certificate >> templates. The only way to issue >> version 2 or version 3 certificate templates is to perform an >> upgrade in place to the Enterprise >> Edition for your version of the operating system. > > As per above, the book is not updated with 2008 R2 information. You require > Enterprise edition for OCSP, SCEP (Called NDES in Windows), Cross-forest > enrollment and Role separation in issuing. > >> >> o- Apropos of the previous question, our engineers produce hardware >> and software - if we're going to contemplate signing our software, >> and/or doing other externally-focused activities that might require a >> PKI, can I upgrade to Version 1 certs to Version 2 or 3 certs fairly >> easily, or from Version 2 to Version 3, or will I be able to mix >> versions? I want to avoid the mistake of doing it the easy way first >> at the cost of a lot of pain later, but also want to balance that with >> initial cost and complexity of installation and management. >> >> o- The lab guide from MSFT and Brian Komar's book are in conflict, >> with Brian stating that it's a bad idea to put your CA on a DC, but >> the lab recommending to install the CA on the DC. I'm guessing that >> the lab guide is suggesting doing so just in the name of making a demo >> project work, without reference to a production implementation. >> Brian's reasoning certain makes sense. Has anyone here put up a CA on >> a DC, and thinks it is a good idea? >> >> Thanks, >> >> Kurt >> >> >> [1] This book is out of print, with no reprint date set. I had to buy >> it in soft version, and chose PDF as being most portable. This also >> applies to Understanding IPv6, Second Edition, by Joseph Davies. I got >> those, plus the Windows Powershell Cookbook, Second Edition by Lee >> Holmes for the price of just two of them from O'Reilly. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
