none
Issuing Certificates in different AD Forests

    Question

  • I have a requirement to design a CA Infra. We have multiple AD Forests and are looking to issue certificates to various devices within each of these forests. Can i still build a Ent Sub-CA and issues certificates which are in different AD Forests and devices which are not part of the domain. or should i build a standalone Sub-CA? 

    Also these AD Forests are spread in various datacenters round the world, should i design one CA Server per datacenter? Any advise how to go about.

    Thursday, July 25, 2013 10:08 AM

Answers

All replies

  • You may look at cross-forest enrollment: http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.


    Thursday, July 25, 2013 10:49 AM
  • It seems like a two-way trust is a prerequisite to use cross-forest enrollment. This is something that is not possible in our environment.

    What would be the limitations of using a Standalone Sub CA and issue certs to devices in all the forests (~15 devices per forest)

    Thursday, July 25, 2013 2:25 PM
  • OCSP can work without the trust.

     

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Friday, July 26, 2013 9:29 AM
  • It seems like a two-way trust is a prerequisite to use cross-forest enrollment. This is something that is not possible in our environment.

    What would be the limitations of using a Standalone Sub CA and issue certs to devices in all the forests (~15 devices per forest)


    in this case you can use Standalone CA.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Friday, July 26, 2013 9:45 AM
  • When you setup a standalone CA can it issue all types of certificates like Server, Web Server, Client Authentication, Network Devices etc? I only see two types of certs that i can request 1.Web and 2.Email.

    I want to use this CA Server to issue certificates on AD Domain Controllers (in different AD Forests) to enable SLDAP, Network Devices, VMware Servers.

    Kindly advise.

    Saturday, July 27, 2013 6:21 PM
  • A standalone CA can issue the same ultimate certificates as an enterprise CA, but without the use of certificate templates. It all comes down to formulating the correct request attributes (designating every extension, value, setting) you want in the issued certificate.

    You will get to know certreq, iCertReq, PowerShell and CAPICOM very well in your deployment

    Brian

    Sunday, July 28, 2013 1:22 PM
  • Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
      
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
      
    Best Regards
      
    Kevin
    Tuesday, July 30, 2013 3:59 AM