Solved

Enterprise Microsoft Certificate Authority

Posted on 2008-06-17
8
354 Views
Last Modified: 2008-07-15
I am in the process of implementing Enterprise Certificate Authority on our network. Though, on our network, we already have another 2 enterprise CAs. We only want laptop OUs on our Active Directory to be able to get certificate from this new CA.

How do we configure the new CA so that only the laptop OUs get certificate from the new Certificate Authority? At the same time, laptops on the laptops OUs won't get any certs from the other two Certificate Authority?
0
Comment
Question by:dongocdung
  • 4
  • 2
8 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 21807340
You can configure a GPO policy in
computer settings\windows settings\security settings\public key policies\.

Is the New CA you are setting up a delegated one of the existing ones.
i.e.
somedomainexample.com is the DC CAs.
The new one is
laptops.somedomainexample.com?

http://technet2.microsoft.com/WindowsServer/en/library/2d82decb-6726-4c5c-b872-1658b0fc3e3e1033.mspx
0
 

Author Comment

by:dongocdung
ID: 21809745
Arnold:

Thank you for your info.

Though can you be a little bit more specific of what we have to do. For example, what do we have to do exactly on Group Policy?

By the way, this new CA is a brand new CA, not a delegated one of the existing ones.

Thanks
0
 
LVL 77

Expert Comment

by:arnold
ID: 21810346
Not sure why you would want to have two separate CA's since you would run into problems (certificate validity).
Is the new CA also a DC?
In the GPO you can import the CA's certificate.

Are you planing on having the systems automatically enroll or do you plan on generating and submitting the requests?
The auto-enroll option does not include a place where you can define to which CA to submit the request.
I think the action will be to submit the request to the DC-CA, but unsure whether the existing CA will supersede the newly created one.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:dongocdung
ID: 21812243
Can we use permission to restrict access?

For example: I can go to Site and Services/Services/Public Key Services/Certificate Authorities and then go to Security. Right click on the new Certificate Authority. Remove authenticated users and then add in laptops users OU.

Can I do that?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 21812408
You can and should, however, I am not sure how you would force the laptops to submit the request to a specific host if it is not the DC against which they authenticate.
You might have to configure the existing CA to forward the certificate request for the laptops to the new CA.
If you manually generate the request, you might be able to specify to which CA you would like the request submitted.
0
 
LVL 77

Expert Comment

by:arnold
ID: 21812899
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
More Than One Website On Same DMZ Server 3 73
Securing Access to Specific Folders 6 49
Soundcloud.com 4 25
Admin account lockout 10 39
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
As a business owner, there are many things that keep you up at night. Profit margins, employee retention, human resource protocols, whether your product or service will remain competitive. When you own or manage a technology company that operates la…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question