Windows Server TechCenter >
Windows Server Forums
>
Security
>
Setting up a brand new PKI - WS08 R2 - few questions
Setting up a brand new PKI - WS08 R2 - few questions
- Hi all,
I've been digging through a lot of documents before starting a PKI implementation. I'll be using a two tier approach ( Root CA offline, two issuing CA ) running on Windows Server 2008 R2. Now I've got the big picture pretty clear but I need a few hints.
1. As stated before I will be using two tier approach. I will only be using one CDP, wich will be a HTTP URL hosted on two servers in a DMZ ( load balancing ). I also would like to use the R2 feature Certificate Web Enrollment Services ( CES ) which I guess would be installed on the same servers were the CDP is hosted. Will that be sufficient for all Web Enrollment or will I also have to install the "old" Web Enrollment feature?
2. If I also have to use the "old" Web Enrollment, where would you recommend installing that feature, on the Issuing CA or on a seperate server?
3. I will also be using OCSP, installed on the same servers hosting the CDP. Does the server running the OCSP need to be domain joined?
4. Is it possible to publish delta crl to HTTP CDP?
5. With regards to NDES, is that something I have to take into consideration right now or can I implement that feature at a later stage after the PKI has been launched?
Best Regards
Konráð Hall
Konráð Hall
Answers
- > Will that be sufficient for all Web Enrollment or will I also have to install the "old" Web Enrollment feature?
This depends from your requirements and environment. The most important limitation is that only Windows 7 and Windows Server 2008 R2 clients can request certificates using HTTP Enrollment. If your clients will be something prior to Windows 7, you may will need to install Web Pages. For what purposes you need this? Who will use them? Your internal domain clients, or external clients? Due of autoenrollment capabilities for internal clients this is not so necessary.
> If I also have to use the "old" Web Enrollment, where would you recommend installing that feature, on the Issuing CA or on a seperate server?
as sayed it depends from your environment. If web pages will be used by external clients, it is recommended to put them on public web server. In any case you may set up web pages on the same server with HTTP Enrollment role.
> I will also be using OCSP, installed on the same servers hosting the CDP. Does the server running the OCSP need to be domain joined?
no, this is not necessary. The only one requirements for OCSP responder is CRL file availability through any supported protocol (such LDAP, HTTP, CIFS).
> 4. Is it possible to publish delta crl to HTTP CDP?
sure. In server extensions put <DeltaCRLAllowed> or %9 in registry. For these urls you must set that Delta CRL will be published to the same location as Base CRL and that this URL must be added to Freshest CRL. Freshest CRL is published in Base CRL extensions only (you will never see Delta CRL urls in certs CDP).
Sorry, I can't tell anything about last question.
http://www.sysadmins.lv- Marked As Answer byMervyn ZhangMSFT, ModeratorWednesday, November 25, 2009 7:44 AM
All Replies
- > Will that be sufficient for all Web Enrollment or will I also have to install the "old" Web Enrollment feature?
This depends from your requirements and environment. The most important limitation is that only Windows 7 and Windows Server 2008 R2 clients can request certificates using HTTP Enrollment. If your clients will be something prior to Windows 7, you may will need to install Web Pages. For what purposes you need this? Who will use them? Your internal domain clients, or external clients? Due of autoenrollment capabilities for internal clients this is not so necessary.
> If I also have to use the "old" Web Enrollment, where would you recommend installing that feature, on the Issuing CA or on a seperate server?
as sayed it depends from your environment. If web pages will be used by external clients, it is recommended to put them on public web server. In any case you may set up web pages on the same server with HTTP Enrollment role.
> I will also be using OCSP, installed on the same servers hosting the CDP. Does the server running the OCSP need to be domain joined?
no, this is not necessary. The only one requirements for OCSP responder is CRL file availability through any supported protocol (such LDAP, HTTP, CIFS).
> 4. Is it possible to publish delta crl to HTTP CDP?
sure. In server extensions put <DeltaCRLAllowed> or %9 in registry. For these urls you must set that Delta CRL will be published to the same location as Base CRL and that this URL must be added to Freshest CRL. Freshest CRL is published in Base CRL extensions only (you will never see Delta CRL urls in certs CDP).
Sorry, I can't tell anything about last question.
http://www.sysadmins.lv- Marked As Answer byMervyn ZhangMSFT, ModeratorWednesday, November 25, 2009 7:44 AM
- Thanks for the answer,
As soon as I submitted the question I realized the CES ( R2 feature ) and Web Enrollment depend on the client versions.
I have a mixed environment, XP, Vista, and soon W7 clients. I guess I'll set up Web Enrollment on the intranet and put the CES on the DMZ in order for clients to renew their certs from the internet. ( I´m not going to set up CEP ).
Konráð Hall
