none
Root Certificate & Subordinate question

    Question

  • We are looking to use SCEP to obtain certificates from AD to issue to mobile devices.  I do know we need a 2008 R2 server to be able to use SCEP.  

    The problem we may run into is our Root CA is still running on Server 2000.  Does this create any challenges, especially when adding a 2008 R2 as a new Subordinate into our existing certificate server environment?

    Monday, February 20, 2012 1:26 PM

Answers

All replies

  • We are looking to use SCEP to obtain certificates from AD to issue to mobile devices.  I do know we need a 2008 R2 server to be able to use SCEP.  

    The problem we may run into is our Root CA is still running on Server 2000.  Does this create any challenges, especially when adding a 2008 R2 as a new Subordinate into our existing certificate server environment?

      

    • Merged by Bruce-Liu Tuesday, February 21, 2012 9:04 AM
    • Proposed as answer by SecurityDev Tuesday, February 21, 2012 2:37 PM
    • Unproposed as answer by SecurityDev Tuesday, February 21, 2012 2:38 PM
    Monday, February 20, 2012 1:22 PM
  • Windows 2000 Server OS is past its supportability stage - so this would be the primary issue to be concerned about.

    For CA specific questions, refer to the security forum:

    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

    hth
    Marcin


    Monday, February 20, 2012 1:24 PM
  • NDES (windows implementation of SCEP protocol) is avaialbe in Windows Server 2003 (as add-on) and newer systems (as a built-in role Network Device Enrollment Service).

    Windows Server 2008 CA is compatible with Windows 2000 root.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by Bruce-Liu Tuesday, February 28, 2012 10:25 AM
    Monday, February 20, 2012 1:35 PM
  • I agree with Marcin about posting this to the CA forum and Windows 2000 legacy's status.

    In addition, and FYI, you'll need a v.2 certificate template for the purpose you posted, which wasn't supported until you install Certificate Services on Windows 2003 Enterprise Edition, or newer, but you need the Enterprise Editions, which the Standard Edition does not provide this template version, except 2008 R2 Standard, but 2008 R2 Std doesn't provide the web enrollment features. The CA forum will give you more specifics about this.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 20, 2012 3:34 PM