Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 19, 2012 9:39 PM
With a single domain forest, is it possible to install two Enterprise Certificate Authorities, one to auto issue Machine Certs and the other to auto issue User Certs?
I understand there is no technical reason for two CA’s. I am in a situation where one team is pushing forward to deploy an Ent CA for machine certs in support of Wireless, but not really looking at the bigger picture (i.e. how the CA would impact the generation of User certs for email, etc). So if there becomes a problem with this first CA (i.e. unable to support User Email Certs), than can a second CA be installed to support User Certs? If not, that would provide ammo to help slow down this team.
Thomas Talley
All replies (3)
Thursday, January 19, 2012 11:34 PM ✅Answered | 2 votes
Paul is correct. If you have that level of politics, then tell the other team to build their own forest.
I may sound like I am kidding, but politics has no place in a PKI design.
In a single forest, there is only one certificate template store. If a template is available at both CAs, it is the first one that responds to the requests that will issue the certificate.
You would have to set up two different sets of identical templates to do what you want, which is a waste of effort and time.
I think you need to stomp your feet a little louder now and do a "proper" PKI for the organization with a single point of trust. Give them each an issuing CA and tell them to shut up.
Brian
Thursday, January 19, 2012 10:30 PM | 1 vote
On Thu, 19 Jan 2012 21:39:24 +0000, Thomas Talley wrote:
With a single domain forest, is it possible to install two Enterprise Certificate Authorities, one to auto issue Machine Certs and the other to auto issue User Certs?
I understand there is no technical reason for two CA?s. I am in a situation where one team is pushing forward to deploy an Ent CA for machine certs in support of Wireless, but not really looking at the bigger picture (i.e. how the CA would impact the generation of User certs for email, etc). So if there becomes a problem with this first CA (i.e. unable to support User Email Certs), than can a second CA be installed to support User Certs? If not, that would provide ammo to help slow down this team.
Yes, you can certainly do this from a technical standpoint, with no
problems, however, a PKI should really be an enterprise-wide solution and
not simply a quick and dirty tactical solution.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
Software: Typically silk nighties, nylons, garter belts. Contrast with
hardware.
Thursday, January 19, 2012 10:50 PM
Totally agree, but there is "politics" involved :(
How would one ensure that the appropriate CA is used for each cert? This is in support of auto enrollment for both machine and user (but different CA's)?
Thanks
Tom
Thomas Talley