Certificate Question

[DJ]

Hello All:

Pulling my hair out trying to implement certificates for VPN. We're going to
be using eTokens side by side with certificates for 2 factor authentication.
We only have a couple dozen users and I would like to minimize their
involvement.
Is there a way that I can set up my CA, issue certificates for each user,
and then take the CA server off-line.

Everytime I try to request a certificate for another user, I get no
templates found or problems accessing AD. If I just request the token, I get
it issued and can install it. I'd rather have the control to request certs
of the user's behalf and set up each token. Less truble int he long run.

Any help would be appreciated. --- using 2003 Enterprise Edition.

Thanks

 

[Bernd]

You have to have a root CA and a subordinate CA.
The issuing CA is the subordinate. You can take
the root CA offline, but not the issuing.

 

[Steve Buckley]

In addition you can not use "templates" on a standalone CA, they are stored
in AD so they can only be accessed by an Enterprise CA.
There is a lot of misunderstanding as to what an Offline CA is.
An Offline CA is always a standalone CA - it can't really be configured as
an Enterprise CA for several reasons.
An Offline CA does not have to have a network interface, tickets are usually
issued as offline requests to a password encrypted PKS file and normally
distributed via floppy disk or similar.
The same is true for CRLs as well.
It does not mean setting up a CA and then disconnecting the network cable.
It requires the replacement of the CAPolicy.inf file and should be set up on
a standalone environment, preferably without a network card.
The Microsoft Training Kit 70-220 has the most comprehesive guide to using
CA Services.