PKI: 2003 Enterprise Sub CA - Is it possible to disable the issuance of the CA Exchange certificate?
Tuesday, February 12, 2013 4:10 PM
Is it possible to stop a windows 2003 Enterprise SubCA from issuing itself a CA Exchange certificate? and if so, how?
I have a client who specifically has this requirement to prevent the issuance of the CA Exchange certificate. They have no key archival requirements at all and do not issue any encryption certificates. I realise the implications for the 2003 version of PKIveiw.
I'm 80% sure it can not be done but would like some confirmation.
Tuesday, February 12, 2013 5:24 PM
What is the security risk that they see in the issuance of the CA Exchange certificate?
Just trying to get my head around this request
- Proposed As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Tuesday, February 12, 2013 11:59 PM
Wednesday, February 13, 2013 10:03 AM
My clients end customer carries out strict enforcement of their own (the end customers) Certificate Policy and adherence to the CPS (and subsequent certificate profiles including allowed extensions, etc ) that has been agreed to between my client and end customer. The CA Exchange certificate was not included/agreed to as a type of certificate a CA can issue.
If it can't be technically implemented then the next step will be for them to go through the IA governance and add the CA Exchange certificate as an additional agreed certificate profile (linked back to the CPS).
Hence the requirement to be able to prevent the CA Exchange certificate from being issued.
Wednesday, February 13, 2013 11:30 AM
I believe you are going to have to sharpen the pencil and start the IA governance process.
The Windows Server 2003 PKI utilizes the CA Exchange certificate as you mention for PKIView, and cannot be stopped from issuing the certificate.
- Marked As Answer by Phat_T Wednesday, February 13, 2013 12:50 PM
Wednesday, February 13, 2013 12:49 PM
Thanks for the confirmation. I had a feeling that this was the case but wanted to make sure (pencil sharpening as I type).