none
How to sync certificates generated by external Root CA with internal CA RRS feed

  • Question

  • Hello All,

    I have 3 zones (internet, intranet and DMZ). Internet and intranet zones are physically separated and in different domains. I need to build a stand alone root ca in DMZ zone common for both internet and intranet zones and this root ca in dmz zone has to be able to sync/import certificates generated by external root ca. How to achieve this. 


    Thanks

    Thursday, July 19, 2018 3:13 PM

Answers

  • Hi,

    Thanks for your reply. 

    Do you mean to simply deploy one tier PKI infrastructure? If this, Yes! We could implement this deployment, we'll need to setup the Enterprise CA for issuing Certs on intranet domain.

    For more information about this topic, please refer to the following article,

    https://msdn.microsoft.com/en-us/library/cc875810.aspx?f=255&MSPPError=-2147217396

    Besides, if you would like to simply use certs for user and computer and exclude Root CA entirely, you could purchase public Certs from third party products vendor.

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by don'zz Thursday, July 26, 2018 11:02 AM
    Monday, July 23, 2018 10:21 AM

All replies

  • Hi,

    Thanks for your question.

    May I know your external CA is third party CA or Windows ADCS?

    If Windows ADCS, please simply make sure the ports and services required for ADCS between external and internal is allowed. 

    https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services/

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 20, 2018 10:02 AM
  • Hi,

    The external CA is Windows AD CS, then how can i sync certificates from it. What is the process. Is it possible to enable sync between Root CAs for few certificates. 

    Thanks,

    Sai Siva Kumar


    Thanks

    Friday, July 20, 2018 6:32 PM
  • Hi,

    Thanks for your reply.

    Here's a link talked about CA server database replication, it may be helpful.

    Microsoft Certificate Server Database Replication

    From above article, we learn that directly sync their database may be a infeasible solution, because they both are independent CA servers.

    If you want to build redundancy for CA server, you could build brand new CA servers in windows failover cluster.
    http://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx

    Hope above information can help you. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Saturday, July 21, 2018 3:22 AM
  • Hi,

    As both the external root ca and internal root ca are belong to different organizations, we can not build failover cluster for them


    Thanks

    Saturday, July 21, 2018 7:05 AM
  • Hi,

    one more question, can we build and issue certificates without root ca?


    Thanks

    Saturday, July 21, 2018 7:06 AM
  • Hi,

    Thanks for your reply. 

    Do you mean to simply deploy one tier PKI infrastructure? If this, Yes! We could implement this deployment, we'll need to setup the Enterprise CA for issuing Certs on intranet domain.

    For more information about this topic, please refer to the following article,

    https://msdn.microsoft.com/en-us/library/cc875810.aspx?f=255&MSPPError=-2147217396

    Besides, if you would like to simply use certs for user and computer and exclude Root CA entirely, you could purchase public Certs from third party products vendor.

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by don'zz Thursday, July 26, 2018 11:02 AM
    Monday, July 23, 2018 10:21 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 26, 2018 10:20 AM