Certificate Server Hierchy Question

Rob · Mar 11, 2004

I am trying to set up a website that will require client certificates and I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy of the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most secure way
to issue certificates to clients online?

Thanks in advance.

Rob

David Cross [MS] · Mar 12, 2004

These two docs should help you out:

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp

MSA:
http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp

msnews.microsoft.com · Mar 12, 2004

Thanks David,
I'll take a look at these this weekend.

Rob

David Cross said:
These two docs should help you out:

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp

MSA:

Click to expand...

http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp

--

David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:

I am trying to set up a website that will require client certificates

Click to expand...

and

I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy of the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most secure way
to issue certificates to clients online?

Thanks in advance.

Rob

Click to expand...

Rob · Mar 15, 2004

David,
These references helped alot and would just like to run my setup by you. I
have small website that is going to be access by a small number, 15-20, of
users. I would like to make the site require client certificates. Since
there is such a small number of users and because the only thing the
certificate server will be used for is web certificates, I think I can just
make a 1-tier setup with one offline root ca. I will keep this server
unconnected from a network and I will manually create the certificates and
update the CRL. Does this sound ok?

Also, what's the best way to get a client certificate to a geographically
seperated user short of putting it on a disk and mailing it to them?

Thanks.

Rob

David Cross said:
These two docs should help you out:

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp

MSA:

Click to expand...

http://www.microsoft.com/technet/itsolutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp

--

David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:

I am trying to set up a website that will require client certificates

Click to expand...

and

I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy of the
servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most secure way
to issue certificates to clients online?

Thanks in advance.

Rob

Click to expand...

David Cross [MS] · Mar 17, 2004

I think you you use an offline root CA, you will find the burden of manually
updating the CRL, etc. very tedious over time very quickly. I would likely
recommend an enterprise root CA to automate your management. In the case of
geographically distributed people with no connectivity to the CA, there is
no easy way. Your solution is likely as good as any.

--

David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:
David,
These references helped alot and would just like to run my setup by you. I
have small website that is going to be access by a small number, 15-20, of
users. I would like to make the site require client certificates. Since
there is such a small number of users and because the only thing the
certificate server will be used for is web certificates, I think I can just
make a 1-tier setup with one offline root ca. I will keep this server
unconnected from a network and I will manually create the certificates and
update the CRL. Does this sound ok?

Also, what's the best way to get a client certificate to a geographically
seperated user short of putting it on a disk and mailing it to them?

Thanks.

Rob

David Cross said:

These two docs should help you out:

Best Practices:

Click to expand...

http://www.microsoft.com/technet/pr...lutions/msa/msa20rak/VMHTMLPages/VMHtm122.asp

--

David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Rob said:

I am trying to set up a website that will require client certificates

Click to expand...

and

I
have read through much of what Microsoft has written about Windows 2000
Server Certificate Server but I am a little bit unsure on the hierchy

Click to expand...

of
the

servers. Any help anyone can provide would be greatly appreciated.

From what I gather, the best setup would be to have a Standalone Root CA
that is not connected to the network and a Subordinate Root CA that is
networked. I am not really clear on why this is. What is on the Root that
you can't get from the Subordinate? Assuming that this is the
configuration, can the Subordinate Root be on the same server as the web
server? I know it's possible to do this but is it a big security risk?
Does IIS log certificate use so I can know who/when was accessing the site?

Also, once I have this hierchy ironed out, what is the best/most

Click to expand...

secure
way

to issue certificates to clients online?

Thanks in advance.

Rob

Click to expand...

Click to expand...

Certificate Server Hierchy Question

Rob

David Cross [MS]

msnews.microsoft.com

Rob

David Cross [MS]