Discussion:
Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
(too old to reply)
Joe
2006-01-30 06:50:58 UTC
Permalink
Sorry if this is too much of a newbie question, I am just starting to learn
about certificate services & PKI.....

We are a relatively small company (<100), but we wish to implement a public
key infrastructure using our Server 2003/SP1 servers (all our clients are
XP/SP2). We want to have digital signing for files, emails, etc and will
also be implementing smartcard login.

From my certificate services reading, it seems that we want to have a
enterprise level certification authority. So that means we need a root CA
and 1 or more subordinate CAs. Also from my reading it seems that securing
the root CA is extremely important, and it is recommended that we have the
root CA offline and locked up.

Being a small company, the cost to do this seems a bit excessive.

Would it be possible to have one of the existing well known CAs (verisign or
thawte or ...) be our root CA? ie, can we have them sign our subordinate
CA's certificate? That would satisfy the "secure/locked up" requirement,
right?

I have visited both Verisign & Thawte's sites, and couldnt find anything
about this.

Is this possible? what kind of cost am I looking at to do this?

Thanks for any info,

Joe
Steven Umbach
2006-01-31 02:05:00 UTC
Permalink
In medium and larger enterprises there is a lot to be said for having offline
root CA and subordinate CAs. If the root CA is compromised your whole PKI is
compromised and that can be a huge problem. Many small businesses have one CA
and do fine. If no one else, or very few, outside of your company needs to trust
your certificates then it would make sense to use your own CA. Be sure to follow
best practices on securing [including physical security] and backing up your CA.
If an unauthorized person got administrative access to your CA they could issue
certificates to use for authentication, signing, encryption, and possibly
decrypting other users files/emails that would make your PKI untrustworthy. I
highly recommend that you buy Brian Komar's Microsoft Press book on PKI as shown
at the link below if you want to get up to speed fast. Also keep in mind that
if you can install your CA on Windows 2003 Server Enterprise version instead of
Standard version your CA will be more flexible particularly in using version 2
certificate templates and using Group Policy to issue certificates for users
also. --- Steve

http://www.bookpool.com/sm/0735620210
Post by Joe
Sorry if this is too much of a newbie question, I am just starting to learn
about certificate services & PKI.....
We are a relatively small company (<100), but we wish to implement a public
key infrastructure using our Server 2003/SP1 servers (all our clients are
XP/SP2). We want to have digital signing for files, emails, etc and will
also be implementing smartcard login.
From my certificate services reading, it seems that we want to have a
enterprise level certification authority. So that means we need a root CA
and 1 or more subordinate CAs. Also from my reading it seems that securing
the root CA is extremely important, and it is recommended that we have the
root CA offline and locked up.
Being a small company, the cost to do this seems a bit excessive.
Would it be possible to have one of the existing well known CAs (verisign or
thawte or ...) be our root CA? ie, can we have them sign our subordinate
CA's certificate? That would satisfy the "secure/locked up" requirement,
right?
I have visited both Verisign & Thawte's sites, and couldnt find anything
about this.
Is this possible? what kind of cost am I looking at to do this?
Thanks for any info,
Joe
Joe
2006-01-31 03:43:36 UTC
Permalink
Hi Steve -

Thanks for the post. The problem is that yes, we will need to have trust
between multiple companies (at least one other besides ours for now, but
probably more later). Is there any way to have my CA cert signed by a
mutual third party? Or can we also exchange certs between the companies,
and trust each others cert maybe?

I will definitely purchase the book you mention, because time is (as always
it seems :-)) of the essence.

As far as standard versus enterprise, we have already purchased/installed
standard rather than enterprise, so we are more or less "stuck" with
standard.

Thanks again for your post,

Joe
Post by Steven Umbach
In medium and larger enterprises there is a lot to be said for having offline
root CA and subordinate CAs. If the root CA is compromised your whole PKI is
compromised and that can be a huge problem. Many small businesses have one CA
and do fine. If no one else, or very few, outside of your company needs to trust
your certificates then it would make sense to use your own CA. Be sure to follow
best practices on securing [including physical security] and backing up your CA.
If an unauthorized person got administrative access to your CA they could issue
certificates to use for authentication, signing, encryption, and possibly
decrypting other users files/emails that would make your PKI
untrustworthy. I
highly recommend that you buy Brian Komar's Microsoft Press book on PKI as shown
at the link below if you want to get up to speed fast. Also keep in mind that
if you can install your CA on Windows 2003 Server Enterprise version instead of
Standard version your CA will be more flexible particularly in using version 2
certificate templates and using Group Policy to issue certificates for users
also. --- Steve
http://www.bookpool.com/sm/0735620210
Post by Joe
Sorry if this is too much of a newbie question, I am just starting to learn
about certificate services & PKI.....
We are a relatively small company (<100), but we wish to implement a public
key infrastructure using our Server 2003/SP1 servers (all our clients are
XP/SP2). We want to have digital signing for files, emails, etc and will
also be implementing smartcard login.
From my certificate services reading, it seems that we want to have a
enterprise level certification authority. So that means we need a root CA
and 1 or more subordinate CAs. Also from my reading it seems that securing
the root CA is extremely important, and it is recommended that we have the
root CA offline and locked up.
Being a small company, the cost to do this seems a bit excessive.
Would it be possible to have one of the existing well known CAs (verisign or
thawte or ...) be our root CA? ie, can we have them sign our subordinate
CA's certificate? That would satisfy the "secure/locked up" requirement,
right?
I have visited both Verisign & Thawte's sites, and couldnt find anything
about this.
Is this possible? what kind of cost am I looking at to do this?
Thanks for any info,
Joe
Steven L Umbach
2006-01-31 04:33:24 UTC
Permalink
There are a couple ways of going about it as Brian explains in the book that
go from relatively simple to very complex [mostly for large companies]. One
way is for the other company to distribute your CAs certificate on their
computers and that can easily be done via Group Policy if used at the other
company [see link below for an example]. The CA certificate contains the
public key and would be in a .cer file. Then their computers would show your
CA in the trusted CA list that you see via the mmc snapin for certificates
or via Internet Explorer as you can see in tools/internet options/content -
certificates. Usually a third party CA signs web server certificates or such
that are going to need to be widely trusted by internet users. --- Steve

http://www.unixwiz.net/techtips/deploy-webcert-gp.html
Post by Joe
Hi Steve -
Thanks for the post. The problem is that yes, we will need to have trust
between multiple companies (at least one other besides ours for now, but
probably more later). Is there any way to have my CA cert signed by a
mutual third party? Or can we also exchange certs between the companies,
and trust each others cert maybe?
I will definitely purchase the book you mention, because time is (as
always it seems :-)) of the essence.
As far as standard versus enterprise, we have already purchased/installed
standard rather than enterprise, so we are more or less "stuck" with
standard.
Thanks again for your post,
Joe
Post by Steven Umbach
In medium and larger enterprises there is a lot to be said for having offline
root CA and subordinate CAs. If the root CA is compromised your whole PKI is
compromised and that can be a huge problem. Many small businesses have one CA
and do fine. If no one else, or very few, outside of your company needs to trust
your certificates then it would make sense to use your own CA. Be sure to follow
best practices on securing [including physical security] and backing up your CA.
If an unauthorized person got administrative access to your CA they could issue
certificates to use for authentication, signing, encryption, and possibly
decrypting other users files/emails that would make your PKI
untrustworthy. I
highly recommend that you buy Brian Komar's Microsoft Press book on PKI as shown
at the link below if you want to get up to speed fast. Also keep in mind that
if you can install your CA on Windows 2003 Server Enterprise version instead of
Standard version your CA will be more flexible particularly in using version 2
certificate templates and using Group Policy to issue certificates for users
also. --- Steve
http://www.bookpool.com/sm/0735620210
Post by Joe
Sorry if this is too much of a newbie question, I am just starting to learn
about certificate services & PKI.....
We are a relatively small company (<100), but we wish to implement a public
key infrastructure using our Server 2003/SP1 servers (all our clients are
XP/SP2). We want to have digital signing for files, emails, etc and will
also be implementing smartcard login.
From my certificate services reading, it seems that we want to have a
enterprise level certification authority. So that means we need a root CA
and 1 or more subordinate CAs. Also from my reading it seems that securing
the root CA is extremely important, and it is recommended that we have the
root CA offline and locked up.
Being a small company, the cost to do this seems a bit excessive.
Would it be possible to have one of the existing well known CAs (verisign or
thawte or ...) be our root CA? ie, can we have them sign our subordinate
CA's certificate? That would satisfy the "secure/locked up"
requirement,
right?
I have visited both Verisign & Thawte's sites, and couldnt find anything
about this.
Is this possible? what kind of cost am I looking at to do this?
Thanks for any info,
Joe
Paul Adare
2006-02-05 08:34:05 UTC
Permalink
In article <***@TK2MSFTNGP14.phx.gbl>, in the
microsoft.public.windows.server.security news group, Joe
Post by Joe
Is there any way to have my CA cert signed by a
mutual third party?
GeoTrust, and CyberTrust both offer this service.

You really don't want to have the CA that issues you internal
certificates (smart card certs for example) signed by a public root
however.

Since you've got less than 100 employees I'd strongly suggest that you
setup your own internal PKI using an offline root and an online issuing
CA (and even though you've already purchased Standard Edition I'd
strongly recommend that you purchase Enterprise Edition for your online
issuing CA) and use this PKI for your internal only certificates. For
your external certificates (S/MIME and perhaps SSL) simply purchase them
in bulk from one of the external providers.
--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
Loading...