Announcement

Collapse
No announcement yet.

Certificate Services

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Services

    Do ur Standalone Root CA and Standalone Subordinate CA needs to be online in order to confirm Trust Root Path for our users ....


    Mine testing Setup ... Main Goal > AutoEnrollment for End Users


    Standalone Root CA > Standalone Subordinate CA > Enterprise Subordinate Issuing CA > End Users ...


    CA Servers and End Users are on same Network Segments


    CA Servers : 10.x.x.x.
    End Users : 10.x.x.x




    Just for testing Autoenrollment ...
    Last edited by harmandeep; 22nd May 2009, 21:44.
    Blog: http://VirtualizationMaximus.com
    OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best



  • #2
    Re: Certificate Services

    If you've setup the CA as an offline Root and an online Issuing then the offline Root should only ever be online when you need to update the certificate on the Issuing Server or when you need to publish an updated CRL.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Certificate Services

      As mentioned i had setup all the systems , and tried autoenrollment With 2k3 Sp2 PKI and Win Xp Sp2 Clients ...

      The interca and rootca ( both standalone ) are offline ...

      When a client system tried to autoenroll,d for the first time ... it does,nt got autoenrolled ...
      Wireshark trace depicts that the client ( xp_sp2_01 ) was looking for interca ( which is offline ) ... why is it looking for Interca system ( doing NBNS broadcasts ... and suppose if our INTERCA is on completely different Network Negment where it can,t be reached via a NBNS name broadcast ... how would clients know abt Interca ... [ leaving the clients LMHOSTS as a valid option ] ... )

      Wireshark trace has be attached ...

      If our InterCA is online ( rootca is still offline ) , everything works fine ...

      Now do our Standalone InterCA needs to online forever to complete AutoEnrollment for our clients ... or any other way to handle this out ...

      Attached Files
      Blog: http://VirtualizationMaximus.com
      OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best


      Comment


      • #4
        Re: Certificate Services

        Originally posted by cruachan View Post
        If you've setup the CA as an offline Root and an online Issuing then the offline Root should only ever be online when you need to update the certificate on the Issuing Server or when you need to publish an updated CRL.

        Updated CRL = Delta CRL or not ?
        Blog: http://VirtualizationMaximus.com
        OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best


        Comment

        Working...
        X