Windows 2000 Certificate Services - Help Request (Understa..

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I have just had to install Windows 2000 Certificate services and setup
a two-machine CA for our company. While the installation has gone
without a hitch, I am left with two machines which do not act as i had
expected and it is probably my understanding of the system which is at
fault.

I wonder if someone with more experience of this stuff could help me
out here?

I have a CA root server (Active Directory) and a CA Subordinate server
(Active Directory).

I can connect to both through the web interface and request and get
new certificates which can be successfully installed into Internet
Explorer.

Question 1:

As I understand it, I am supposed to do all my requests on the
subordinate server and leave the CA root alone. However, If I do this
then the CA Root server only ever shows (in the past 48 hours at
least), the certificates which were issued directly from itself. It
does not show the certificates issued or revoked or failed which were
produced as a result of requests from the subordinate server.

Should activity on the CA subordinate server not be reflected in the
CA Root server (as it is the ultimate controller of this system)?

Question 2:

I have exported a certificate and imported it into Outlook 2002. It
(Outlook) is capable of sending signed messages and recognising signed
messages sent from a different account as signed.

It fails completely with any attempt to encrypt a message and send it
to a user account which has already sent a signed message. I get a
warning that there is a problem with the other persons certificate and
that it is not trusted.

Question 3:

There are alot of options for what type of encryption I want when I
request a certificate. Can someone tell me what the best all round
secure setting is when requesting a certificate through the "request
form"?

Thanks for the help here.
4 answers Last reply
More about windows 2000 certificate services request understa
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <p18ui018mp9ru706ehdraloage8ku28hj4@4ax.com>, in the
    microsoft.public.win2000.security news group, Go:gul
    <b_ma_k@hotmail.com> says...

    > Question 1:
    >
    > As I understand it, I am supposed to do all my requests on the
    > subordinate server and leave the CA root alone. However, If I do this
    > then the CA Root server only ever shows (in the past 48 hours at
    > least), the certificates which were issued directly from itself. It
    > does not show the certificates issued or revoked or failed which were
    > produced as a result of requests from the subordinate server.
    >
    > Should activity on the CA subordinate server not be reflected in the
    > CA Root server (as it is the ultimate controller of this system)?

    Nope. Each CA will only ever display the certificates that it has
    issued. You're lacking a basic understanding of how PKI works here. The
    root CA provides the top level of trust in your PKI, it doesn't control
    the other CAs.

    >
    > Question 2:
    >
    > I have exported a certificate and imported it into Outlook 2002. It
    > (Outlook) is capable of sending signed messages and recognising signed
    > messages sent from a different account as signed.
    >
    > It fails completely with any attempt to encrypt a message and send it
    > to a user account which has already sent a signed message. I get a
    > warning that there is a problem with the other persons certificate and
    > that it is not trusted.

    Based on which template? Are you sure that you've got a certificate that
    is good for both signing and encryption?

    >
    > Question 3:
    >
    > There are alot of options for what type of encryption I want when I
    > request a certificate. Can someone tell me what the best all round
    > secure setting is when requesting a certificate through the "request
    > form"?

    This is a big topic, and you really need to start with the basics. PKI,
    given its importance and nature, is not something you can get "almost"
    right and expect it to work, or to be secure. I'd suggest taking a
    course in PKI (Microsoft has a great one), or at the very least reading
    the help files, and the white papers, etc, on the Microsoft web site.


    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Here are some whitepaper links to help get you started:

    auto-enrollment:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

    Best Practices:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx


    Microsoft Systems Architecture:
    http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx


    Cert templates -
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx


    Key archival -
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx


    Operations guide -
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx


    --


    David B. Cross [MS]

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    http://support.microsoft.com

    "Paul Adare - MVP - Microsoft Virtual PC" <padare@newsguy.com> wrote in
    message news:MPG.1b98f2b7c320a979989a38@msnews.microsoft.com...
    > In article <p18ui018mp9ru706ehdraloage8ku28hj4@4ax.com>, in the
    > microsoft.public.win2000.security news group, Go:gul
    > <b_ma_k@hotmail.com> says...
    >
    >> Question 1:
    >>
    >> As I understand it, I am supposed to do all my requests on the
    >> subordinate server and leave the CA root alone. However, If I do this
    >> then the CA Root server only ever shows (in the past 48 hours at
    >> least), the certificates which were issued directly from itself. It
    >> does not show the certificates issued or revoked or failed which were
    >> produced as a result of requests from the subordinate server.
    >>
    >> Should activity on the CA subordinate server not be reflected in the
    >> CA Root server (as it is the ultimate controller of this system)?
    >
    > Nope. Each CA will only ever display the certificates that it has
    > issued. You're lacking a basic understanding of how PKI works here. The
    > root CA provides the top level of trust in your PKI, it doesn't control
    > the other CAs.
    >
    >>
    >> Question 2:
    >>
    >> I have exported a certificate and imported it into Outlook 2002. It
    >> (Outlook) is capable of sending signed messages and recognising signed
    >> messages sent from a different account as signed.
    >>
    >> It fails completely with any attempt to encrypt a message and send it
    >> to a user account which has already sent a signed message. I get a
    >> warning that there is a problem with the other persons certificate and
    >> that it is not trusted.
    >
    > Based on which template? Are you sure that you've got a certificate that
    > is good for both signing and encryption?
    >
    >>
    >> Question 3:
    >>
    >> There are alot of options for what type of encryption I want when I
    >> request a certificate. Can someone tell me what the best all round
    >> secure setting is when requesting a certificate through the "request
    >> form"?
    >
    > This is a big topic, and you really need to start with the basics. PKI,
    > given its importance and nature, is not something you can get "almost"
    > right and expect it to work, or to be secure. I'd suggest taking a
    > course in PKI (Microsoft has a great one), or at the very least reading
    > the help files, and the white papers, etc, on the Microsoft web site.
    >
    >
    > --
    > Paul Adare
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Paul,

    Do you have the link to the Microsoft PKI course?

    Lisa


    >-----Original Message-----
    >In article <p18ui018mp9ru706ehdraloage8ku28hj4@4ax.com>,
    in the
    >microsoft.public.win2000.security news group, Go:gul
    ><b_ma_k@hotmail.com> says...
    >
    >> Question 1:
    >>
    >> As I understand it, I am supposed to do all my requests
    on the
    >> subordinate server and leave the CA root alone.
    However, If I do this
    >> then the CA Root server only ever shows (in the past 48
    hours at
    >> least), the certificates which were issued directly
    from itself. It
    >> does not show the certificates issued or revoked or
    failed which were
    >> produced as a result of requests from the subordinate
    server.
    >>
    >> Should activity on the CA subordinate server not be
    reflected in the
    >> CA Root server (as it is the ultimate controller of
    this system)?
    >
    >Nope. Each CA will only ever display the certificates
    that it has
    >issued. You're lacking a basic understanding of how PKI
    works here. The
    >root CA provides the top level of trust in your PKI, it
    doesn't control
    >the other CAs.
    >
    >>
    >> Question 2:
    >>
    >> I have exported a certificate and imported it into
    Outlook 2002. It
    >> (Outlook) is capable of sending signed messages and
    recognising signed
    >> messages sent from a different account as signed.
    >>
    >> It fails completely with any attempt to encrypt a
    message and send it
    >> to a user account which has already sent a signed
    message. I get a
    >> warning that there is a problem with the other persons
    certificate and
    >> that it is not trusted.
    >
    >Based on which template? Are you sure that you've got a
    certificate that
    >is good for both signing and encryption?
    >
    >>
    >> Question 3:
    >>
    >> There are alot of options for what type of encryption I
    want when I
    >> request a certificate. Can someone tell me what the
    best all round
    >> secure setting is when requesting a certificate through
    the "request
    >> form"?
    >
    >This is a big topic, and you really need to start with
    the basics. PKI,
    >given its importance and nature, is not something you can
    get "almost"
    >right and expect it to work, or to be secure. I'd suggest
    taking a
    >course in PKI (Microsoft has a great one), or at the very
    least reading
    >the help files, and the white papers, etc, on the
    Microsoft web site.
    >
    >
    >--
    >Paul Adare
    >This posting is provided "AS IS" with no warranties, and
    confers no
    >rights.
    >.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Designing and Managing a Windows Public Key Infrastructure
    http://www.microsoft.com/learning/syllabi/en-us/2821Afinal.mspx

    Mike

    "Lisa_at_work" <anonymous@discussions.microsoft.com> wrote in message
    news:16ab01c48c44$eb3ec240$a301280a@phx.gbl...
    > Paul,
    >
    > Do you have the link to the Microsoft PKI course?
    >
    > Lisa
    >
    >
    > >-----Original Message-----
    > >In article <p18ui018mp9ru706ehdraloage8ku28hj4@4ax.com>,
    > in the
    > >microsoft.public.win2000.security news group, Go:gul
    > ><b_ma_k@hotmail.com> says...
    > >
    > >> Question 1:
    > >>
    > >> As I understand it, I am supposed to do all my requests
    > on the
    > >> subordinate server and leave the CA root alone.
    > However, If I do this
    > >> then the CA Root server only ever shows (in the past 48
    > hours at
    > >> least), the certificates which were issued directly
    > from itself. It
    > >> does not show the certificates issued or revoked or
    > failed which were
    > >> produced as a result of requests from the subordinate
    > server.
    > >>
    > >> Should activity on the CA subordinate server not be
    > reflected in the
    > >> CA Root server (as it is the ultimate controller of
    > this system)?
    > >
    > >Nope. Each CA will only ever display the certificates
    > that it has
    > >issued. You're lacking a basic understanding of how PKI
    > works here. The
    > >root CA provides the top level of trust in your PKI, it
    > doesn't control
    > >the other CAs.
    > >
    > >>
    > >> Question 2:
    > >>
    > >> I have exported a certificate and imported it into
    > Outlook 2002. It
    > >> (Outlook) is capable of sending signed messages and
    > recognising signed
    > >> messages sent from a different account as signed.
    > >>
    > >> It fails completely with any attempt to encrypt a
    > message and send it
    > >> to a user account which has already sent a signed
    > message. I get a
    > >> warning that there is a problem with the other persons
    > certificate and
    > >> that it is not trusted.
    > >
    > >Based on which template? Are you sure that you've got a
    > certificate that
    > >is good for both signing and encryption?
    > >
    > >>
    > >> Question 3:
    > >>
    > >> There are alot of options for what type of encryption I
    > want when I
    > >> request a certificate. Can someone tell me what the
    > best all round
    > >> secure setting is when requesting a certificate through
    > the "request
    > >> form"?
    > >
    > >This is a big topic, and you really need to start with
    > the basics. PKI,
    > >given its importance and nature, is not something you can
    > get "almost"
    > >right and expect it to work, or to be secure. I'd suggest
    > taking a
    > >course in PKI (Microsoft has a great one), or at the very
    > least reading
    > >the help files, and the white papers, etc, on the
    > Microsoft web site.
    > >
    > >
    > >--
    > >Paul Adare
    > >This posting is provided "AS IS" with no warranties, and
    > confers no
    > >rights.
    > >.
    > >
Ask a new question

Read More

Windows 2000 Certificate Windows