Intermediate CA = subordinate CA. In Windows Cert Services, "enterprise CA" means AD integrated. It publishes information about itself in Active Directory, and clients can auto-enrol certificates.
Cheers Ken > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Thursday, 27 November 2008 10:34 PM > To: NT System Admin Issues > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > Is the 'intermediate CA' the same thing as a 'subordinate CA.' I installed > the CA services on the DC as a subordinate CA server, maybe it needs to be > an Enterprise CA server? > > Overview: > Windows Enterprise running Enterprise CA Server publishing to AD > Two windows standard running DC > ====== Firewall ========== (DCs replicate via IPSEC) > Two windows standard running DC; one running Enterprise subordinate CA > server > Workstations. > > > -----Original Message----- > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 26, 2008 4:22 PM > To: NT System Admin Issues > Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > Our root CA is off line. I only fire it up every couple of months to keep it > patched and update the CRL's. You will need an intermediate CA online > somewhere to issue certificates. The problem is that, if you want to use > certificate templates and modify the defaults, you need windows enterprise > for the intermediate CA that actually issues the certs. Our root CA is > standard, but the intermediate CA is enterprise. > > > ...Tim > > > -----Original Message----- > > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, November 26, 2008 1:06 PM > > To: NT System Admin Issues > > Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. > > > > The plan was to user our SQL Server (the only Enterprise level server > > we > > have) to issue the root CA, publish it to Active Directory and use GPO > > to push the computer certificate to the workstations. > > > > The plan _almost_ works.... > > > > The workstation fails on auto enrollment because it is sending out a > > request directly to the SQL server (root CA server) to register the > > certificate. (I see this via WireShark) The SQL server is behind a > > firewall and we really don't want to open any more ports. > > > > Is there a way (that I'm obviously missing) to push the certificates > > directly from AD (Server 2003 R2 STANDARD) so there is no required > > communication back to the root CA Server??? I'm wanting all the > > communication to come directly from the domain controller that is in > > the same network. > > > > Do I need to set up the DC as a subordinate CA? > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
