none
PKI Design Question RRS feed

  • Question

  • We are about to build out a new AD Forest and we have some questions on the correct placement of the PKI environment. The Forest will have an "empty" root domain and some child domains to it. Where would the PKI servers reside? Certificates will be needed at all levels of the Forest, so would we just create one in the root domain or would it be better to also have ones in the child domains as well?
    Monday, August 28, 2017 3:52 PM

Answers

  • We are about to build out a new AD Forest and we have some questions on the correct placement of the PKI environment. The Forest will have an "empty" root domain and some child domains to it. Where would the PKI servers reside? Certificates will be needed at all levels of the Forest, so would we just create one in the root domain or would it be better to also have ones in the child domains as well?

    Hi,

    1.You could implement a 2-tier PKI in your forest.One offline stand alone Root CA. And one Sub Issuing CA in the root domain.

    2.You need to grant the users from the child domains read and enroll permissions on the certificate templates  as well as permissions to request certificates from the certificate services it self.

    http://technet.microsoft.com/en-us/library/cc725621(WS.10).aspx

    3. You need to enable the certificate services in the parent/root domain to publish certificates in the child domains.

     http://support.microsoft.com/kb/281271  

    4.Or you could add sub issuing CA in each domain for themself, if you need.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Vegas577 Tuesday, August 29, 2017 2:29 PM
    Tuesday, August 29, 2017 8:04 AM
    Moderator

All replies

  • We are about to build out a new AD Forest and we have some questions on the correct placement of the PKI environment. The Forest will have an "empty" root domain and some child domains to it. Where would the PKI servers reside? Certificates will be needed at all levels of the Forest, so would we just create one in the root domain or would it be better to also have ones in the child domains as well?

    Hi,

    1.You could implement a 2-tier PKI in your forest.One offline stand alone Root CA. And one Sub Issuing CA in the root domain.

    2.You need to grant the users from the child domains read and enroll permissions on the certificate templates  as well as permissions to request certificates from the certificate services it self.

    http://technet.microsoft.com/en-us/library/cc725621(WS.10).aspx

    3. You need to enable the certificate services in the parent/root domain to publish certificates in the child domains.

     http://support.microsoft.com/kb/281271  

    4.Or you could add sub issuing CA in each domain for themself, if you need.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Vegas577 Tuesday, August 29, 2017 2:29 PM
    Tuesday, August 29, 2017 8:04 AM
    Moderator
  • Agrees with Cartman.

    I tell my customers that a Microsoft AD/CS Enterprise Certification Authority is a forest-wide resource.  

    You could put the CA in the Domain of your choosing, and make it available to every domain within the AD forest.

    And that is quite often how I see customers approach this situation. 

    Good Luck,

    -Wayne

    Tuesday, August 29, 2017 12:32 PM
  • ok thanks both of you.
    Tuesday, August 29, 2017 2:29 PM