Certificate Server Hierchy Question

R

Rob

I am trying to set up a website that will require client certificates and I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy of the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most secure way
to issue certificates to clients online?

Thanks in advance.

Rob
 
M

msnews.microsoft.com

Thanks David,
I'll take a look at these this weekend.

Rob


David Cross said:
These two docs should help you out:

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp
MSA:
Click to expand...
http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:
I am trying to set up a website that will require client certificates
Click to expand...
and
I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy of the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most secure way
to issue certificates to clients online?

Thanks in advance.

Rob
Click to expand...
Click to expand...
 
R

Rob

David,
These references helped alot and would just like to run my setup by you. I
have small website that is going to be access by a small number, 15-20, of
users. I would like to make the site require client certificates. Since
there is such a small number of users and because the only thing the
certificate server will be used for is web certificates, I think I can just
make a 1-tier setup with one offline root ca. I will keep this server
unconnected from a network and I will manually create the certificates and
update the CRL. Does this sound ok?

Also, what's the best way to get a client certificate to a geographically
seperated user short of putting it on a disk and mailing it to them?

Thanks.

Rob


David Cross said:
These two docs should help you out:

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp
MSA:
Click to expand...
http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:
I am trying to set up a website that will require client certificates
Click to expand...
and
I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy of the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most secure way
to issue certificates to clients online?

Thanks in advance.

Rob
Click to expand...
Click to expand...
 
D

David Cross [MS]

I think you you use an offline root CA, you will find the burden of manually
updating the CRL, etc. very tedious over time very quickly. I would likely
recommend an enterprise root CA to automate your management. In the case of
geographically distributed people with no connectivity to the CA, there is
no easy way. Your solution is likely as good as any.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:
David,
These references helped alot and would just like to run my setup by you. I
have small website that is going to be access by a small number, 15-20, of
users. I would like to make the site require client certificates. Since
there is such a small number of users and because the only thing the
certificate server will be used for is web certificates, I think I can just
make a 1-tier setup with one offline root ca. I will keep this server
unconnected from a network and I will manually create the certificates and
update the CRL. Does this sound ok?

Also, what's the best way to get a client certificate to a geographically
seperated user short of putting it on a disk and mailing it to them?

Thanks.

Rob


David Cross said:
These two docs should help you out:

Best Practices:
Click to expand...
http://www.microsoft.com/technet/pr...lutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp
--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:
I am trying to set up a website that will require client certificates
Click to expand...
and
I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy
Click to expand...
of
the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most
Click to expand...
secure
way
to issue certificates to clients online?

Thanks in advance.

Rob
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Requesting Certificate from Subordinate CA 1
Offline Root CA - AutoEnrollment 4
How do you issue a new Root CA Certificate EXPIRATION? 0
Certificates and templates 2
EFS and Certificate Services 9
Windows 2000 Certificate Services - Help Request (Understanding and operation). 4
Autoenrollment of Certificate 1
Subordinate CA 3

Top