CAs Linked into a Hierarchy

Previous page
Table of content
Next page

Your network design might call for connecting several CAs so that you have separate root and subordinate CAs. Splitting up CAs like this is considered good security by most experts because it allows you to have a root CA that issues certificates only to subordinate CAs, so it can be better protected than the subordinate CA servers. To accomplish this with Certificate Services, first install and configure a root CA as described earlier in this chapter. In particular, you must indicate that you want the newly installed CA to be an enterprise root or a stand-alone root server.

Once you've installed and configured the root CA, your next task is to install and configure each subordinate CA. The installation process is largely identical to the process required to install a root CA, except that you must perform an additional step after you specify the storage location you want to use for your certificates: you must request a certificate for the new CA. You do this with the CA Certificate Request screen, shown in Figure 20-15. What you do with this screen depends on whether the root CA that "owns" this subordinate CA is available on your network or not. The next two sections describe each scenario.

Figure 20-15. The CA Certificate Request screen of the Windows Components Wizard.

Requesting a Certificate if Your Root CA Is Online

If you're using an all-Windows 2000 PKI, and if your root (or parent) CA is available on the network, you're in luck—all you have to do is select Send The Request Directly To A CA Already On The Network, specify the computer name of the parent CA server, and then choose the parent CA instance on that computer from the Parent CA list box. (Remember, a single CA server computer can host multiple CAs.)

Requesting a Certificate if Your Root CA Is Offline

If your root CA isn't available on your network, you'll need to select Save The Request To A File. That forces the wizard to generate a PKCS #10 format certificate request and store it in a disk file. You can then e-mail that file to the root CA, put it on a floppy or smart card, paste it into a Web page, or do whatever else your root CA requires. If you want to submit a certificate request to a Windows 2000 Certificate Services server, you can do so with the following steps:

  1. Open Internet Explorer and connect to http://caServerName/certserv, where caServerName is the DNS name of your root CA.
  2. When the Web CA Request screen appears, select the Request A Certificate option, and then click Next. In the following screen, click Advanced Request and click Next.
  3. Click Submit A Certificate Request Using A Base-64-Encoded PKCS#10 File Or A Renewal Request Using a PKCS#7 File, and then click Next.
  4. Submit the actual subordinate CA request by opening it in Notepad, copying its text, and pasting it into the Saved Request text box. As an alternative, you can use the Browse button to locate the .P10 file on disk and upload it, but this might require that you modify your Internet Explorer settings so that your root CA is a trusted site.
  5. Click Submit. Depending on how you have configured your root CA, you'll get either a message saying that the certificate request is pending or one indicating that it was approved. If it was approved, use the Download Certificate button to retrieve the certificate and store it on your local disk.

If you're not using a Windows 2000 CA, the exact procedure you use to send the request to your CA will vary; consult your CA vendor or documentation for details.

A subtlety is involved in using a third-party CA: The Windows 2000 CA Service expects to be able to build a full certificate path when it starts. If your root CA includes CA certificates for all CAs in the certificate path (the Windows 2000 CA does), you don't have to do anything extra. If not, you'll have to manually add the CA certificates of any parent CAs to the Intermediate Certification Authorities certificate store, as well as add the root CA certificate to the Trusted Root Certification Authorities store. You can do these in any order; the key is to make sure that you've added certificates for the root CA and all subordinate CAs that are parents of the CA you're installing before you try to install the new subordinate CA's certificate and start the CA service.

Once you've loaded any needed certificates from the certificate path and have requested and received a certificate for your new subordinate CA, you still have to load it into the certificate store. You do this from the Certification Authority snap-in. Select the newly installed subordinate CA, and then click Actions, point to All Tasks, and choose Install CA Certificate. Until you do so, your new subordinate CA won't be able to process any requests.


Previous page
Table of content
Next page
Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320
Authors: Charlie Russel, Sharon Crawford, Jason Gerend
BUY ON AMAZON
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy