Oh wow :)

What are you using certificates for? That's got to be your first question. If 
you just issue a handful of authentication certs and you don't care if your 
Root CA is every compromised, then just setup another one. As long as it's an 
Enterprise CA (Microsoft's term for AD integrated), then the CA's signing cert 
will be added to all domain joined members as a trusted root CA.  You need to 
use Windows Server Enterprise Edition if you want to edit certificate templates.

If you are somewhat worried about the impact of revoking and reissuing your 
root CA's cert in the event of compromise, I strongly suggest you get the MS 
Press PKI book 
(http://www.amazon.com/Windows-Server-Certificate-Security-PRO-Other/dp/0735625166/)
 by Brian Komar. You will gain a good insight into how PKI is supposed to work, 
and a better idea of reference architecture (e.g. having a root CA and a 
separate issuing CA, and why). Then you can make an informed decision on where 
you want to compromise on that reference architecture (e.g. it's not worth 
dividing these two roles).

Cheers
Ken

From: N Parr [mailto:[email protected]]
Sent: Friday, 25 February 2011 7:28 AM
To: NT System Admin Issues
Subject: Multiple Root CA's in same domain?

The reason I ask is I'm migrating my Radius for Cisco Wireless Authentication 
from 03 to NPS on 08R2.  My existing Root CA is on my Exchange 03 server which 
is next on my list to get migrated to exchange 2010 and go away.  Existing 
Radius server is using existing Exchange server as CA.  Can I just set up a new 
Root CA on my 08R2 server that will be running NPS?  If so should it be 
Enterprise or Standalone, new private key, etc?  Right now when I create the 
new wireless policy in NPS it wants to grab a cert from my old exchange box.  
If I can set up a new Root CA will NPS automatically use the new local CA?
Thanks
Niles



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to