Remove From My Forums

Offline Root CA for Two Separate Domains

Question
0

Sign in to vote
What would be the best way to configure an Offline Root CA so that it could publish to two separate Online CA's in two separate domains? I'm at the step in the process where you map the Namespace of Active Directory to an Offline CA's Registry Configurationusing the certutil.exe –setreg ca\DSConfigDN CN=Configuration,DC=concorp,DC=contoso,DC=com command. How can you configure the Offline Root CA if it will be mapped to multiple namespaces?
- Edited by DG1212 Wednesday, October 30, 2013 5:53 PM
Wednesday, October 30, 2013 3:32 PM

Answers

0

Sign in to vote
Hi,

in that case I would recommend to use only HTTP URL for the CDP and AIA extensions. Then you can import the Root CA certificates into AD with certutil.exe -f -dspublish rootca.cer RootCA. Then you create the Enterprise CAs in each AD forest (I assume you are talking about two forest because if you had two domains in the same forest you would have that problem) and request a suboradinate CA certificate for each CA from the Root CA.

Here is some planning help. http://technet.microsoft.com/en-us/library/jj125370.aspx

Regards,

Lutz
- Proposed as answer by Yan Li_ Thursday, October 31, 2013 5:29 AM
- Marked as answer by Yan Li_ Monday, November 11, 2013 1:35 AM
Wednesday, October 30, 2013 8:38 PM
0

Sign in to vote
Hi,

I agree with LutzHM, when you have two or more forests, you should really only be using HTTP URLs for the CRLs.

The HTTP location should be both internally and externally accessible (from both forests).

The below thread is similar to this, please go through it for more details:

Publishing Offline Root CRL to Two AD Forests

http://social.technet.microsoft.com/Forums/en-US/05b31de9-9096-4d54-91a2-9892b0416fe2/publishing-offline-root-crl-to-two-ad-forests?forum=winserversecurity

Regards,

Yan Li

TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
- Proposed as answer by Yan Li_ Friday, November 1, 2013 4:30 AM
- Marked as answer by Yan Li_ Monday, November 11, 2013 1:35 AM
Thursday, October 31, 2013 5:44 AM

All replies

0

Sign in to vote
Hi,

in that case I would recommend to use only HTTP URL for the CDP and AIA extensions. Then you can import the Root CA certificates into AD with certutil.exe -f -dspublish rootca.cer RootCA. Then you create the Enterprise CAs in each AD forest (I assume you are talking about two forest because if you had two domains in the same forest you would have that problem) and request a suboradinate CA certificate for each CA from the Root CA.

Here is some planning help. http://technet.microsoft.com/en-us/library/jj125370.aspx

Regards,

Lutz
- Proposed as answer by Yan Li_ Thursday, October 31, 2013 5:29 AM
- Marked as answer by Yan Li_ Monday, November 11, 2013 1:35 AM
Wednesday, October 30, 2013 8:38 PM
0

Sign in to vote
Hi,

I agree with LutzHM, when you have two or more forests, you should really only be using HTTP URLs for the CRLs.

The HTTP location should be both internally and externally accessible (from both forests).

The below thread is similar to this, please go through it for more details:

Publishing Offline Root CRL to Two AD Forests

http://social.technet.microsoft.com/Forums/en-US/05b31de9-9096-4d54-91a2-9892b0416fe2/publishing-offline-root-crl-to-two-ad-forests?forum=winserversecurity

Regards,

Yan Li

TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
- Proposed as answer by Yan Li_ Friday, November 1, 2013 4:30 AM
- Marked as answer by Yan Li_ Monday, November 11, 2013 1:35 AM
Thursday, October 31, 2013 5:44 AM
0

Sign in to vote

It would be two totally separate domains, not two forests.

Thursday, October 31, 2013 11:37 AM
0

Sign in to vote

It would be two totally separate domains, not two forests.

Domains, by definition are separate from one another. You're not being clear here. Are these domains in the same or different forests?

Thursday, October 31, 2013 5:27 PM
0

Sign in to vote

It would be two totally separate domains, not two forests.

Domains, by definition are separate from one another. You're not being clear here. Are these domains in the same or different forests?

Two separate domains in two separate forests. No trusts between them.

Thursday, October 31, 2013 7:08 PM
0

Sign in to vote

Hi,

As we replied, you should really only be using HTTP URLs for the CRLs.

The HTTP location should be both internally and externally accessible (from both forests)

Regards,

Yan Li

TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Monday, November 4, 2013 2:19 AM
0

Sign in to vote
Hi,

As we replied, you should really only be using HTTP URLs for the CRLs.

The HTTP location should be both internally and externally accessible (from both forests)

Regards,

Yan Li

What is the reason for having the HTTP location accessible both internally and externally? I'm going to be copying the CRL manually from the offline ca to the subordinate ca.
- Edited by DG1212 Wednesday, December 11, 2013 9:35 PM
Wednesday, December 11, 2013 9:35 PM
0

Sign in to vote

On Wed, 11 Dec 2013 21:35:01 +0000, DG1212 wrote:

What is the reason for having the HTTP location accessible both internally and externally

So it is accessible by both internal and external relying parties.

Paul Adare - FIM CM MVP
Ah, young webmaster... java leads to shockwave.
Shockwave leads to realaudio. And realaudio leads to suffering.

Wednesday, December 11, 2013 9:43 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Offline Root CA for Two Separate Domains

Question

Answers

All replies