Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, November 5, 2012 3:22 PM
Hopefully a quick one...
One Root CA for & two Subbordinate Issuing CAs, Domain A Issuing CA = zone1.test.com, Domain B Issuing CA = Zone2.test.com
Would it be correct to assert :
Root CA: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com
Domain A Issuing: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=Zone1,DC=test,DC=com
Domain B Issuing: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=Zone2,DC=test,DC=com
Would it matter if I left out the Root CA DSConfigDN line? what would be the upshot if I did? I "obviously" cannot put in either Zone1 or Zone2 in my root config as surely this would have implications in the Zone1 domain.
Would it matter if during initial build in the DSN section I made CN=RootCA,O=Comapany,C=USA - so this was embeded in the cert for identificateion then in the post script ran certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com??
Since this is updating the "local" registry and its a standalone root, is this Config embeded into the certificate somewhere?
Any Clarification on this would be marvelous :)
All replies (4)
Monday, November 5, 2012 4:11 PM âś…Answered
On Mon, 5 Nov 2012 15:57:13 +0000, PADale wrote:
in the example theres 2 forests: Zone1.test.com and Zone2.test.com - the issuing CAs are obviously in the relivent forests, but the "root" ca isnt in any of them. - so do I Root CA: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com or not?
I "think" your saying yes? - as in the two forests the Root CA wil have test.com in the AIA and Certificate Authority attibutes and the "issuing CAs will just have "ZoneX.test.com" in the AIA attribte.
What would be the probblem if I didnt do Root CA: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com in postroot config?
It wasn't clear (or I missed it) in your original post that your examples
were different forests, not just different domains in the same forest.
In the case of 2 forests I personally wouldn't bother publishing the root
CRL to AD at all, and would simply use a web farm to host the root CRL.
Then manually add the root certificate to each forest by using a GPO in
each forest.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
You know it is going to be a bad day when you forget your new password.
Monday, November 5, 2012 3:45 PM
On Mon, 5 Nov 2012 15:22:22 +0000, PADale wrote:
Root CA: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com
The configuration partition is replicated forest-wide.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
Remember, UNIX spelled backwards is XINU.
Monday, November 5, 2012 3:57 PM
sorry if I'm being dense :)
in the example theres 2 forests: Zone1.test.com and Zone2.test.com - the issuing CAs are obviously in the relivent forests, but the "root" ca isnt in any of them. - so do I Root CA: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com or not?
I "think" your saying yes - as in the two forests the Root CA wil have test.com in the AIA and Certificate Authority attibutes and the "issuing CAs will just have "ZoneX.test.com" in the AIA attribte.
What would be the probblem if I didnt do Root CA: certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com in postroot config?
Monday, November 5, 2012 4:18 PM
Thanks Paul, :)
so in a forest with TEST.COM as the enterprise forest and Zone 1 and Zone 2 as sub domains
certutil -setreg ca\DSConfigDN "CN=Configuration,DC=test,DC=com - is used at the enterprise forest level to push the CRL out to the "entire" enterprise and be pushed down to Zone1 / Zone2 Domains?
and you didnt miss anything - as I said I can be dense and this is very very helpful