My coworker wants to forego the pki infrastructure and only install an enterprise CA root on our DC or a dedicated machine. What are you thoughts on this?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, March 19, 2004 1:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] PKI Infrastructure Question good approach, especially when using 2003 which allows you to contrain the capabilities of the subordinate CAs (should at least configure them with a basic constraint that contains a pathLenConstraint=2, so that people can't add other subordinates underneath your planned subordinates) making the root stand-alone and taking it offline is also common practice. subordinates as Enterprise CAs will give you the most feature-benefits (Auto enrolement etc.) and I don't have an issue with putting these on DCs (you'll have to protect your DCs anyways) /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Freitag, 19. M�rz 2004 18:15 To: [EMAIL PROTECTED] Subject: [ActiveDir] PKI Infrastructure Question We are finally getting around to implementing the PKI infrastructure here and would like some advice. I had emailed several days ago about Ldap - unix box authenicating to AD - and I got that working (in my test lab). Here is what I was going to implement and would like some advice or direction if this is way off base. Root (Stand-alone) CA (offline) Subordinate Enterprise CA on DC Is this normal practice or completely wrong. Would you recommend install on DC or is that a major NO NO. Any thoughts, or advice... Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
