dongocdung
asked on
Enterprise Microsoft Certificate Authority
I am in the process of implementing Enterprise Certificate Authority on our network. Though, on our network, we already have another 2 enterprise CAs. We only want laptop OUs on our Active Directory to be able to get certificate from this new CA.
How do we configure the new CA so that only the laptop OUs get certificate from the new Certificate Authority? At the same time, laptops on the laptops OUs won't get any certs from the other two Certificate Authority?
How do we configure the new CA so that only the laptop OUs get certificate from the new Certificate Authority? At the same time, laptops on the laptops OUs won't get any certs from the other two Certificate Authority?
ASKER
Arnold:
Thank you for your info.
Though can you be a little bit more specific of what we have to do. For example, what do we have to do exactly on Group Policy?
By the way, this new CA is a brand new CA, not a delegated one of the existing ones.
Thanks
Thank you for your info.
Though can you be a little bit more specific of what we have to do. For example, what do we have to do exactly on Group Policy?
By the way, this new CA is a brand new CA, not a delegated one of the existing ones.
Thanks
Not sure why you would want to have two separate CA's since you would run into problems (certificate validity).
Is the new CA also a DC?
In the GPO you can import the CA's certificate.
Are you planing on having the systems automatically enroll or do you plan on generating and submitting the requests?
The auto-enroll option does not include a place where you can define to which CA to submit the request.
I think the action will be to submit the request to the DC-CA, but unsure whether the existing CA will supersede the newly created one.
Is the new CA also a DC?
In the GPO you can import the CA's certificate.
Are you planing on having the systems automatically enroll or do you plan on generating and submitting the requests?
The auto-enroll option does not include a place where you can define to which CA to submit the request.
I think the action will be to submit the request to the DC-CA, but unsure whether the existing CA will supersede the newly created one.
ASKER
Can we use permission to restrict access?
For example: I can go to Site and Services/Services/Public Key Services/Certificate Authorities and then go to Security. Right click on the new Certificate Authority. Remove authenticated users and then add in laptops users OU.
Can I do that?
For example: I can go to Site and Services/Services/Public Key Services/Certificate Authorities and then go to Security. Right click on the new Certificate Authority. Remove authenticated users and then add in laptops users OU.
Can I do that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is another link that might get you to your goal.
http://technet2.microsoft.com/windowsserver/en/library/9fc9ac6f-78c0-4f50-9c15-4beecf5129161033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/9fc9ac6f-78c0-4f50-9c15-4beecf5129161033.mspx?mfr=true
computer settings\windows settings\security settings\public key policies\.
Is the New CA you are setting up a delegated one of the existing ones.
i.e.
somedomainexample.com is the DC CAs.
The new one is
laptops.somedomainexample.
http://technet2.microsoft.com/WindowsServer/en/library/2d82decb-6726-4c5c-b872-1658b0fc3e3e1033.mspx