Subordinate CA

[Sean]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

My company has an Enterprise Root CA in Colorado and many Subordinate CA in
its offices around the world.

One of these offices having a Subordinate CA with the Enterprise CA in
Colorado wants to use a certificate issued for this CA for a communication
encrypted by SSL between an external OWA client and the external interface of
the ISA server. This office was able to set up a certificate on the OWA
website from its Subordinate CA and the internall users are able to access
OWA using https protocol.
For the extenal access, this office wanted to export this certificate and PK
and then to import it into the ISA server certificate store, but they were
not able to export the private key.
My question is: Is possible use this Subordinate CA in order to get the
certificate for the external OWA access? if so, what should they do in order
to get the private key?
If not, should I install a new Enterprise root CA on the domain of this
office?
If I install this new Enterprise root CA on this office ... could this new
Enterprise root CA cause some conflict with current Subordinate CA?

Thank you for any thought about it

Sean

 

[Sean]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Mike

I have W2K SP4 and OWA 5.5 SP4
OWA was certificate using IIS. The office taked a certificate existing on
its DC and used it on OWA. When the office tried to export this certificate,
the PK option was unavailable. They cannot connect to our Enterprise CA to
get a new certificate ...

Checking its event view I realized that its certificate services was not
started. It's not able to start after applying SP4 on Subordinate CA's DC ...
do you think it might be the problem?

Thanks
Sean

"Sean" wrote:

> Hi
>
> My company has an Enterprise Root CA in Colorado and many Subordinate CA in
> its offices around the world.
>
> One of these offices having a Subordinate CA with the Enterprise CA in
> Colorado wants to use a certificate issued for this CA for a communication
> encrypted by SSL between an external OWA client and the external interface of
> the ISA server. This office was able to set up a certificate on the OWA
> website from its Subordinate CA and the internall users are able to access
> OWA using https protocol.
> For the extenal access, this office wanted to export this certificate and PK
> and then to import it into the ISA server certificate store, but they were
> not able to export the private key.
> My question is: Is possible use this Subordinate CA in order to get the
> certificate for the external OWA access? if so, what should they do in order
> to get the private key?
> If not, should I install a new Enterprise root CA on the domain of this
> office?
> If I install this new Enterprise root CA on this office ... could this new
> Enterprise root CA cause some conflict with current Subordinate CA?
>
> Thank you for any thought about it
>
> Sean

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Sean,

What version are your CA servers in question? Windows 2000? Are subordinate
CA servers Enterprise CA setup?

How was certificate issued to OWA? Using IIS or was it by web interface? If
certificate was imported to OWA manually was it marked as exportable before
it was imported?

Mike

"Sean" <Sean@discussions.microsoft.com> wrote in message
news:0BA15002-C6D3-418A-9F5C-90C1B87CEF0E@microsoft.com...
> Hi
>
> My company has an Enterprise Root CA in Colorado and many Subordinate CA
in
> its offices around the world.
>
> One of these offices having a Subordinate CA with the Enterprise CA in
> Colorado wants to use a certificate issued for this CA for a communication
> encrypted by SSL between an external OWA client and the external interface
of
> the ISA server. This office was able to set up a certificate on the OWA
> website from its Subordinate CA and the internall users are able to access
> OWA using https protocol.
> For the extenal access, this office wanted to export this certificate and
PK
> and then to import it into the ISA server certificate store, but they were
> not able to export the private key.
> My question is: Is possible use this Subordinate CA in order to get the
> certificate for the external OWA access? if so, what should they do in
order
> to get the private key?
> If not, should I install a new Enterprise root CA on the domain of this
> office?
> If I install this new Enterprise root CA on this office ... could this new
> Enterprise root CA cause some conflict with current Subordinate CA?
>
> Thank you for any thought about it
>
> Sean

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Sean,

Issue OWA it's own certificate on subordinate CA service. You can either use
IIS wizard or web interface to issue new certificate to OWA.

Try to start the certificate service and see if there are any pop-up error
messages what could be the problem. Also check event log for any specific
reasons why CA would not want to start. Check CA certificate in computer
store (Enterprise and Subordinate) to see of anything has expired or is not
trusted... SP4 should not cause any problem, but there are other patches
that might alter the way the certificate chain is build.

Mike

"Sean" <Sean@discussions.microsoft.com> wrote in message
news:65B89369-76CF-4621-95DE-C9F1BFDB0B9C@microsoft.com...
> Hi Mike
>
> I have W2K SP4 and OWA 5.5 SP4
> OWA was certificate using IIS. The office taked a certificate existing on
> its DC and used it on OWA. When the office tried to export this
certificate,
> the PK option was unavailable. They cannot connect to our Enterprise CA to
> get a new certificate ...
>
> Checking its event view I realized that its certificate services was not
> started. It's not able to start after applying SP4 on Subordinate CA's DC
....
> do you think it might be the problem?
>
> Thanks
> Sean
>
> "Sean" wrote:
>
> > Hi
> >
> > My company has an Enterprise Root CA in Colorado and many Subordinate CA
in
> > its offices around the world.
> >
> > One of these offices having a Subordinate CA with the Enterprise CA in
> > Colorado wants to use a certificate issued for this CA for a
communication
> > encrypted by SSL between an external OWA client and the external
interface of
> > the ISA server. This office was able to set up a certificate on the OWA
> > website from its Subordinate CA and the internall users are able to
access
> > OWA using https protocol.
> > For the extenal access, this office wanted to export this certificate
and PK
> > and then to import it into the ISA server certificate store, but they
were
> > not able to export the private key.
> > My question is: Is possible use this Subordinate CA in order to get the
> > certificate for the external OWA access? if so, what should they do in
order
> > to get the private key?
> > If not, should I install a new Enterprise root CA on the domain of this
> > office?
> > If I install this new Enterprise root CA on this office ... could this
new
> > Enterprise root CA cause some conflict with current Subordinate CA?
> >
> > Thank you for any thought about it
> >
> > Sean