none
Joining another CA authority server to existing PKI environment

    Question

  • Our current environment has our 2 Enterprise CA servers running Windows 2008 Standard.  We need to create and use version 2 templates.  The CA servers won't allow us to do this.  These servers are under a different groups jurisdiction and see no reason to change.  At this time our group has limited funds to create an entire PKI infrastructure.  My question is, could we just install the CA service on a Windows 2008 R2 Standard server and use that to create version 2 templates? Or would that cause conflicts with the other issuing servers? Assuming we could include this server in the current PKI hierarchy.
    Friday, July 26, 2013 7:10 PM

Answers

  • Hi,

    that would work. Just remove all pre-assigned certificate templates from the 2008 R2 CA, otherwise might domain controllers could request a certificate. Then you create your new v2 templates (in most cases the Windows Server 2003 version), change the security settings so that only your users and computers can request certificates and assign the templates to the CA.

    To install a Enterprise CA you must perform the installation with Enterprise Admin permissions.

    Regards,

    Lutz

    Saturday, July 27, 2013 2:00 AM

All replies

  • Hi,

    that would work. Just remove all pre-assigned certificate templates from the 2008 R2 CA, otherwise might domain controllers could request a certificate. Then you create your new v2 templates (in most cases the Windows Server 2003 version), change the security settings so that only your users and computers can request certificates and assign the templates to the CA.

    To install a Enterprise CA you must perform the installation with Enterprise Admin permissions.

    Regards,

    Lutz

    Saturday, July 27, 2013 2:00 AM
  •  

    Hi,
     
    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Kevin

    Wednesday, July 31, 2013 1:38 AM