![]() Note: In my example I want my Root CA Cert to last 20 yearsīefore You Install Anything: Create a CAPolicy.inf file you can edit it with notepad. When you have finished you power off the Offline Root CA and keep it off. The offline Root CA is a non domain joined machine, its sole job is to issue SubCA certificates to your intermediate CAs (three tier PKI), or issuing CAs (two tier PKI). Whichever architecture you choose this will be your fist step. Microsoft does not care.Both of those servers are SubCA servers in Microsoft speak. This is to better explain the architecture and define a difference between an Intermediate CA, and an Issuing CA. You will notice I’ve mentioned a Root CA, an Intermediate CA, and an Issuing CA. So I can only have one issuing Server? No, I just put one on the diagram for simplicity, you can have 1, or 100, or 1000, it’s up to you.ĭo I need CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol) On a Separate Server? Strictly speaking No, but it’s considered good practice, and if you need to advertise a CRL externally, it is more secure. For most domains Two Tier is the best option. I have a client who have an issuing server in their DMZ so this was a good fit for them. Two Tier Or Three Tier PKI? That’s your call, The main advantage of three tier PKI is, if one of your issuing servers, is compromised, you don’t need to bring the offline Root CA back online to re-issue its certificate. Plan you deployment properly and save yourself a headache. What can’t I just have one CA Server? (Hmm your the Next > Next > Next > Job Done Person Eh?) Well you can! But if that one server breaks, (or get compromised.) Then you are in trouble. To design PKI well, you need to decide if you want a two or three tier PKI environment. And most importantly, lay out how to do it so I don’t have to do it for you! Solution So in typical PNL fashion lets simplify everything, get everyone on the same page. OR WORSE: Someone adds the role, clicks Next > Next > Next > Job done! Lets have tea and medals! But mention Certificate Services and heads disappear below monitors and silence decends. I hear this a lot, In fact I heard it this week, and as I’m usually the ‘go-to-guy’ for certificates and PKI, it winds me up! IT pros take the time to learn concepts like DNS, DHCP, Kerberos etc. “I don’t know what it is about Certificates, I just don’t like them, I don’t understand them, and I don’t like working with them” ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |