[unisog] A few CA questions

Eoghan Casey eoghan.casey at yale.edu
Mon Jul 23 16:28:35 GMT 2001


We created a root certificate using openssl and then generated
subordinate W2K CAs for S/MIME and SSL (soon IPSec as well). The root
certificate is offline (in our safe). The W2K machines are "secured" -
we are doing our best to lock them down, restricted access, and keep
them patched (naturally nervous about running IIS). I would not run the
certificate server on a domain controller.

The MS Certificate Services are fairly flexible so you may be able to
vend certificates outside of your domain, depending on if/how you
authenticate requests. The only limitations that we have run into are:

1) You can only run one CA on a machine at any given time.

2) You cannot import certificates generated using openssl. There are
some odd extensions that MS Certificate Server includes and expects.

To learn more about setting up MS Certificate Server, I recommend the
Distributed System Guide in the W2K Resource Kit. However, it was also
necessary to use the MS Knowledge Base, Technet, poke around in the
Registry, arrange a few conference calls with the developers at
Microsoft who work on Certificate Server, and generally muck with the
thing to figure out some of the limitations and problems. Needless to
say, this is an ongoing process - I am currently trying to solve an
authentication problem.

We also have a certificate server that one of our developers created -
we will be using this to vend anonymous user certificates for library
systems (online journals want to move away from the IP address

Additionally, we use Verisign for some secure Web servers and code
signing. I expect that we will have other CA's in the mix in the future.

Eoghan Casey

"E. Larry Lidz" wrote:
> Hello,
> We're seeing increasing pressure for running a CA for campus.
> We're already testing a CA for providing standard SSL web server
> certificates, but it's looking more and more like we need to provide
> other types of server certificates.
> It's looking like part of our W2k role out will require a CA. It
> appears, however, that the CA needs to support Microsoft and Cisco's
> auto-enrollment protocol (SCEP). Ideally, I'd rather have our CA be
> offline. So, I'm thinking of a two-tier setup where the Microsoft CA is
> signed by our offline root CA.
> Additionally, it's looking like the Microsoft CA will need to be part
> of the domain -- this isn't a major problem, but it does mean both that
> the CA needs to run on a W2k machine (probably using Microsoft's CA)
> and also that it is harder to isolate for security purposes (ideally
> it could be on a nicely locked down box that only responds to the web
> requests for certificates and drops all other network traffic). I'm
> also concerned that it might need to be on one of the domain
> controllers.
> We might need a CA which could be used for L2TP tunnels -- both from
> machines inside and outside of the W2k domain. I don't know much
> about the Microsoft CA, but I'm not sure if it is designed to handle
> requests from outside of the domain. If it can't, it means that we'll
> have a third CA.  We may also need a CA which hands out client-side
> certificates based on Kerberos authentications. This would mean that
> we'd have four different CAs for campus -- a bit excessive, in my
> opinion.
> Does anyone have any experience with SCEP and/or Microsoft CAs who could
> give me a few pointers as to where to start looking for information on
> handling a setup like this in this sort of heterogenous environment?
> Is anyone providing a CA that handles these sorts of services?
> -Larry

More information about the unisog mailing list