A few CA questions

E. Larry Lidz ellidz at eridu.uchicago.edu
Wed Jul 18 20:11:44 GMT 2001


Hello,

We're seeing increasing pressure for running a CA for campus. 

We're already testing a CA for providing standard SSL web server
certificates, but it's looking more and more like we need to provide
other types of server certificates.

It's looking like part of our W2k role out will require a CA. It
appears, however, that the CA needs to support Microsoft and Cisco's
auto-enrollment protocol (SCEP). Ideally, I'd rather have our CA be
offline. So, I'm thinking of a two-tier setup where the Microsoft CA is
signed by our offline root CA.

Additionally, it's looking like the Microsoft CA will need to be part
of the domain -- this isn't a major problem, but it does mean both that
the CA needs to run on a W2k machine (probably using Microsoft's CA)
and also that it is harder to isolate for security purposes (ideally
it could be on a nicely locked down box that only responds to the web
requests for certificates and drops all other network traffic). I'm
also concerned that it might need to be on one of the domain
controllers.

We might need a CA which could be used for L2TP tunnels -- both from
machines inside and outside of the W2k domain. I don't know much
about the Microsoft CA, but I'm not sure if it is designed to handle
requests from outside of the domain. If it can't, it means that we'll
have a third CA.  We may also need a CA which hands out client-side
certificates based on Kerberos authentications. This would mean that
we'd have four different CAs for campus -- a bit excessive, in my
opinion.

Does anyone have any experience with SCEP and/or Microsoft CAs who could
give me a few pointers as to where to start looking for information on
handling a setup like this in this sort of heterogenous environment?
Is anyone providing a CA that handles these sorts of services?

-Larry



More information about the unisog mailing list