Public Key on Enterprise CA

  • Thread starter Thread starter Tim Guy
  • Start date Start date
T

Tim Guy

Can anyone point me to any Q's on how to do this please.

Can I have an Enterprise CA that is well established and then add a public
key without loosing the certificates that are already give out?????

Or do I have to start from the beginning again.

This is going on from a post a few days ago where I am/have installed a
Enterprise CA for a customer to use 802.1x wireless EAP but now the customer
wants to take advange of that CA and use it for external mail certificates
which will required a public key.

Reagrds

Tim
 
Tim, I'm unclear on exactly what you are trying to do. Are you asking if a
given Certificate Services instance can have two CAs?
 
I already have an enterprise CA installed into an AD but with a private root
key. This CA is doing 802.1x functions.

The customer now wants to use the CA to validate Emails. To do this, Im
going to need a Public root key, yeah?

So to do this can I:

Add a public key to the Enterprise CA that is already install

or

Do I have to loose the current CA and reinstall it but with a public root
key

or

Can one cert srv not provide public and AD certificates at the same time and
I need to cert srvs, one public and on enterprise AD???
 
OK, got it.

This is really going to be driven by the public root that you are chaining
to. They will have different requirements around what type of CA that they
will sign, and what types of certificates they will let you issue.

For the most part, I would use a second CA just to issue certificates that
chain to that root. That way you can use the current CA to issue low-cost
certificates for authentication, and use the other CA to issue S/MIME certs
only to the people who need them (if it chains to a public root, you will be
paying a per-certificate charge). The cost savings should justify the second
CA, but it will be really easy for you to determine that once you look at
pricing.
 
I am trying to do exactly the same thing. I see that Verisign will sell you
digital certificates for about $15 per user. This is if you go to them
directly and there is no Win2K subordinate CA involved. Is there any cost
savings by managing your own subordinate CA with Verisign as the root CA to
issue digital certificates for secure email? Do you have any ideas what
trusted CA is the best value, Verisign, etc?
 
Dave, I cannot provide you with specific recommendations, but I can tell you
that RSA Security, VeriSign, and GeoTrust all offer programs where they will
sign your CA. We are seeing more people look at this option in order to use
the automated certificate issuance and renewal capabilities of the Windows
2000 or Windows Server 2003 Enterprise CA. It is primarily the ease of
issuance and management that makes this interesting versus enrolling
directly to the public CA.
 
Back
Top