I would agree. I recommeded configured a root standalone (offline) and an enterprise subordinate issuing CA. (I realize 3 tier is best but this will work for our environment).
Thanks for your opinions. I don't think my coworker really gets certain things. Kind Regards, Jennifer Fountain -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, March 24, 2004 9:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] PKI Infrastructure Question Well, that's not really an "infrastructure" then is it? That's a single server running all the roles with no separation and protection that you get from separation. More importantly, PKI has many facets that have to be taken into account. You can't just leave the root CA machine on the network and have it available for people to attack (best practice to protect the root CA)and you have to have components in place to manage the crl's etc. If a single box is deployed, it fulfils the CA, RA, (and so on) roles. Splitting those roles is a best practice but you'll need them for a PKI; if your CA is also the RA then it has to be available for clients vs. being off-line and protected. It all depends on the requirements. If you just need a cert to get a SSL web page running, then it may not be a big deal. If you intend to issue and manage certs, then you really need to consider your approach and best practices etc and it's likely that a single server CA isn't going to meet all your needs. Al -----Original Message----- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Monday, March 22, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] PKI Infrastructure Question My coworker wants to forego the pki infrastructure and only install an enterprise CA root on our DC or a dedicated machine. What are you thoughts on this? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, March 19, 2004 1:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] PKI Infrastructure Question good approach, especially when using 2003 which allows you to contrain the capabilities of the subordinate CAs (should at least configure them with a basic constraint that contains a pathLenConstraint=2, so that people can't add other subordinates underneath your planned subordinates) making the root stand-alone and taking it offline is also common practice. subordinates as Enterprise CAs will give you the most feature-benefits (Auto enrolement etc.) and I don't have an issue with putting these on DCs (you'll have to protect your DCs anyways) /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Freitag, 19. M�rz 2004 18:15 To: [EMAIL PROTECTED] Subject: [ActiveDir] PKI Infrastructure Question We are finally getting around to implementing the PKI infrastructure here and would like some advice. I had emailed several days ago about Ldap - unix box authenicating to AD - and I got that working (in my test lab). Here is what I was going to implement and would like some advice or direction if this is way off base. Root (Stand-alone) CA (offline) Subordinate Enterprise CA on DC Is this normal practice or completely wrong. Would you recommend install on DC or is that a major NO NO. Any thoughts, or advice... Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
