Certificate Authority in DMZ

  • Thread starter Thread starter nboothe
  • Start date Start date
N

nboothe

My company is going to distribute their own S/MIME certs instead of
paying for Verisign certs every year. We would like to put a Root CA
in our network and Sub CA in our DMZ. We would like the Sub CA to be
the CA that gives out certs. My understanding is that certificates
are stored in a JET database on the CA. This doesn't seem secure
considering the CA will be facing the internet. Has anyone else had
experience putting a CA in a DMZ? If not, any insight will be
appreciated.

Nathan Boothe
 
My company is going to distribute their own S/MIME certs instead of
paying for Verisign certs every year. We would like to put a Root CA
in our network and Sub CA in our DMZ. We would like the Sub CA to be
the CA that gives out certs. My understanding is that certificates
are stored in a JET database on the CA. This doesn't seem secure
considering the CA will be facing the internet. Has anyone else had
experience putting a CA in a DMZ? If not, any insight will be
appreciated.

Nathan Boothe
Click to expand...

How are the users going to request the certificates? If using the Web
enrollment pages, why not just publish the web site to the internet, rather
than exposing the CA?
Brian
 
Back
Top