PKI: 2003 Enterprise Sub CA - Is it possible to disable the issuance of the CA Exchange certificate?

All Replies

• Tuesday, February 12, 2013 5:24 PM

   

   
  

  0

  What is the security risk that they see in the issuance of the CA Exchange certificate?

  Just trying to get my head around this request

  Brian

  • Proposed As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Tuesday, February 12, 2013 11:59 PM
  •  
  • Reply
  • Quote

   
• Wednesday, February 13, 2013 10:03 AM

   

   
  

  0
   

  Hi Brian

   

  My clients end customer carries out strict enforcement of their own (the end customers) Certificate Policy and adherence to the CPS (and subsequent certificate profiles including allowed extensions, etc ) that has been agreed to between my client and end customer. The CA Exchange certificate was not included/agreed to as a type of certificate a CA can issue.

  If it can't be technically implemented then the next step will be for them to go through the IA governance and add the CA Exchange certificate as an additional agreed certificate profile (linked back to the CPS). 

  Hence the requirement to be able to prevent the CA Exchange certificate from being issued.

   

  cheers

  Todd

  • Reply
  • Quote

   
• Wednesday, February 13, 2013 11:30 AM

   

   
  

  0

  I believe you are going to have to sharpen the pencil and start the IA governance process.

  The Windows Server 2003 PKI utilizes the CA Exchange certificate as you mention for PKIView, and cannot be stopped from issuing the certificate.

  Brian

  • Marked As Answer by Phat_T Wednesday, February 13, 2013 12:50 PM
  •  
  • Reply
  • Quote

   
• Wednesday, February 13, 2013 12:49 PM

   

   
  

  0

  Hi Brian

  Thanks for the confirmation. I had a feeling that this was the case but wanted to make sure (pencil sharpening as I type).

  Cheers

  Todd

  • Reply
  • Quote