Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Best Pratictice Root CA and Subordinate CA - 802.1x

Answered Best Pratictice Root CA and Subordinate CA - 802.1x

  • Mittwoch, 30. Januar 2013 05:26
     
     
    Anmelden
    0

    Hi everybody,

    I would like some tips about create a CA High Available  for 802.1x

    I had a Root CA and now have installed a Subordinate CA from this Root CA.

    Is there any step after installing the subordinate CA? I think about block request of certificate in Root CA for users and computers, this is true?

    It is possible use this scenario for when a Subordinate CA down the Root CA assume and vice versa ?

    If not how achieve this goal ?

    add  a new subordinate CA and create a Cluste Active/Passive is a option?


    A observation is the consideretion the 802.1x

    Thanks Advanced

    Robson Hasselhoff - Follow me @Robk9e

     

Alle Antworten

  • Mittwoch, 6. Februar 2013 20:21
     
     Beantwortet
    Anmelden
    0

    Hi - Your Root CA should be an offline root with the AIA and CDP published in AD and a web server.  The subordinate needs to be an Enterprise subordinate which leverages certificate autoenrollment.  As for 802.1x, it typically does not hit the CA server directly, but rather the information published in AD and the web server.  AD should already be fault tolerant and 9/10 that would be enough for internal 802.1x.

    ~fr3dd

    fr3dd

     
  • Donnerstag, 14. Februar 2013 11:16
     
     
    Anmelden
    0

    Hi fr3dd,

    Thank for your reply, but I can not make the change in the hierarchy at the time.

    I was thinking of leaving as the root CA to issue server certificates and subordinate CA to issue certificate User and computer 802.1x

    Can you give an opinion?

    Thanks

    Robson Hasselhoff - Follow me @Robk9e

     
  • Donnerstag, 14. Februar 2013 12:44
     
     
    Anmelden
    0

    Hi - Since you already have the Root CA built and in production, I would remove all non-essential certificate templates from the server to prevent unwanted requests.  Again, for redundancy I would issue another subordinate.  If you have two subordinates responsible for the computer and user certificates, there is no way to 'prefer' one server over another.  If you do not require immediate fail-over, I typically dedicate one to computer certificates and the other for user certificates so that it is easier to know where to look for a specific problem.  If one of the servers has an issue, you can simply add the other certificate to the available server.

    The last note I would make is that your 802.1x infrastructure is most certainly completely dependent on the Root CA and more specifically the CRL.  If this server is offline, then you will need to make sure that you always refresh the CRL before it expires.

    ~fr3dd