Subordinate CA for NPS - Standalone or Enterprise? RRS feed

  • Question

  • Cross post from Security Forum

    I'm trying to decide between a Standalone or and Enterprise subordinate CA for issuing System Health Authentication Certificates.
    I don't want to issue certificates to non-domain computers.
    I do want short validity certificates (4 hours) for NAP client computers, and longer ones (1 year) for NAP exempt computers.
    As I understand it I have to use the same System Health Authentication certificate template with the Application Policy Object identifier for both short and long validity certificates.

    I encouter problems with both solutions:

    With the Enterprise Sub CA I get the same certificate validity period for the SubCA as for the Root CA. I think I can change this :http://support.microsoft.com/kb/281557

    With the standalone Sub CA I get an error message: "The requested certificate templace it not supported by this CA" when trying to obtain a system health certificate from the standalone subordinate CA.
    When I read the help about this I see " Stand-alone CAs do not require AD DS and do not use certificate templates" http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx. However this is the method used in the Test Lab: "Demonstrate IPSec NAP enforcement"

    Can someone clarify please?

    Wednesday, October 12, 2011 1:38 PM