Certificate Authority in DMZ

N

nboothe

My company is going to distribute their own S/MIME certs instead of
paying for Verisign certs every year. We would like to put a Root CA
in our network and Sub CA in our DMZ. We would like the Sub CA to be
the CA that gives out certs. My understanding is that certificates
are stored in a JET database on the CA. This doesn't seem secure
considering the CA will be facing the internet. Has anyone else had
experience putting a CA in a DMZ? If not, any insight will be
appreciated.

Nathan Boothe
 
B

Brian Komar

My company is going to distribute their own S/MIME certs instead of
paying for Verisign certs every year. We would like to put a Root CA
in our network and Sub CA in our DMZ. We would like the Sub CA to be
the CA that gives out certs. My understanding is that certificates
are stored in a JET database on the CA. This doesn't seem secure
considering the CA will be facing the internet. Has anyone else had
experience putting a CA in a DMZ? If not, any insight will be
appreciated.

Nathan Boothe
Click to expand...

How are the users going to request the certificates? If using the Web
enrollment pages, why not just publish the web site to the internet, rather
than exposing the CA?
Brian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Uninstalling and reinstalling the Certificate Authority on Win2K 1
Certificate Authority CRL's 4
Offline Root Certificate Server and subordinate CA 5
Autoenrollment of Certificate 1
Enterprise CA access 5
Requesting Certificate from Subordinate CA 1
IPSec Trusted Certificate Authority Question 1
Certificate Authority (CA) Failover - Possible? 1

Top