Hi,

I have just had to install Windows 2000 Certificate services and setup
a two-machine CA for our company. While the installation has gone
without a hitch, I am left with two machines which do not act as i had
expected and it is probably my understanding of the system which is at
fault.

I wonder if someone with more experience of this stuff could help me
out here?

I have a CA root server (Active Directory) and a CA Subordinate server
(Active Directory).

I can connect to both through the web interface and request and get
new certificates which can be successfully installed into Internet
Explorer.

Question 1:

As I understand it, I am supposed to do all my requests on the
subordinate server and leave the CA root alone. However, If I do this
then the CA Root server only ever shows (in the past 48 hours at
least), the certificates which were issued directly from itself. It
does not show the certificates issued or revoked or failed which were
produced as a result of requests from the subordinate server.

Should activity on the CA subordinate server not be reflected in the
CA Root server (as it is the ultimate controller of this system)?

Question 2:

I have exported a certificate and imported it into Outlook 2002. It
(Outlook) is capable of sending signed messages and recognising signed
messages sent from a different account as signed.

It fails completely with any attempt to encrypt a message and send it
to a user account which has already sent a signed message. I get a
warning that there is a problem with the other persons certificate and
that it is not trusted.

Question 3:

There are alot of options for what type of encryption I want when I
request a certificate. Can someone tell me what the best all round
secure setting is when requesting a certificate through the "request
form"?

Thanks for the help here.

In article , in the
microsoft.public.win2000.security news group, Go:gul
says...

> Question 1:
>
> As I understand it, I am supposed to do all my requests on the
> subordinate server and leave the CA root alone. However, If I do this
> then the CA Root server only ever shows (in the past 48 hours at
> least), the certificates which were issued directly from itself. It
> does not show the certificates issued or revoked or failed which were
> produced as a result of requests from the subordinate server.
>
> Should activity on the CA subordinate server not be reflected in the
> CA Root server (as it is the ultimate controller of this system)?

Nope. Each CA will only ever display the certificates that it has
issued. You're lacking a basic understanding of how PKI works here. The
root CA provides the top level of trust in your PKI, it doesn't control
the other CAs.

>
> Question 2:
>
> I have exported a certificate and imported it into Outlook 2002. It
> (Outlook) is capable of sending signed messages and recognising signed
> messages sent from a different account as signed.
>
> It fails completely with any attempt to encrypt a message and send it
> to a user account which has already sent a signed message. I get a
> warning that there is a problem with the other persons certificate and
> that it is not trusted.

Based on which template? Are you sure that you've got a certificate that
is good for both signing and encryption?

>
> Question 3:
>
> There are alot of options for what type of encryption I want when I
> request a certificate. Can someone tell me what the best all round
> secure setting is when requesting a certificate through the "request
> form"?

This is a big topic, and you really need to start with the basics. PKI,
given its importance and nature, is not something you can get "almost"
right and expect it to work, or to be secure. I'd suggest taking a
course in PKI (Microsoft has a great one), or at the very least reading
the help files, and the white papers, etc, on the Microsoft web site.


--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Here are some whitepaper links to help get you started:

auto-enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx



Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx



Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx



Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx



Operations guide -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Paul Adare - MVP - Microsoft Virtual PC" wrote in
message news:MPG.1b98f2b7c320a979989a38@msnews.microsoft.com...
> In article , in the
> microsoft.public.win2000.security news group, Go:gul
> says...
>
>> Question 1:
>>
>> As I understand it, I am supposed to do all my requests on the
>> subordinate server and leave the CA root alone. However, If I do this
>> then the CA Root server only ever shows (in the past 48 hours at
>> least), the certificates which were issued directly from itself. It
>> does not show the certificates issued or revoked or failed which were
>> produced as a result of requests from the subordinate server.
>>
>> Should activity on the CA subordinate server not be reflected in the
>> CA Root server (as it is the ultimate controller of this system)?
>
> Nope. Each CA will only ever display the certificates that it has
> issued. You're lacking a basic understanding of how PKI works here. The
> root CA provides the top level of trust in your PKI, it doesn't control
> the other CAs.
>
>>
>> Question 2:
>>
>> I have exported a certificate and imported it into Outlook 2002. It
>> (Outlook) is capable of sending signed messages and recognising signed
>> messages sent from a different account as signed.
>>
>> It fails completely with any attempt to encrypt a message and send it
>> to a user account which has already sent a signed message. I get a
>> warning that there is a problem with the other persons certificate and
>> that it is not trusted.
>
> Based on which template? Are you sure that you've got a certificate that
> is good for both signing and encryption?
>
>>
>> Question 3:
>>
>> There are alot of options for what type of encryption I want when I
>> request a certificate. Can someone tell me what the best all round
>> secure setting is when requesting a certificate through the "request
>> form"?
>
> This is a big topic, and you really need to start with the basics. PKI,
> given its importance and nature, is not something you can get "almost"
> right and expect it to work, or to be secure. I'd suggest taking a
> course in PKI (Microsoft has a great one), or at the very least reading
> the help files, and the white papers, etc, on the Microsoft web site.
>
>
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Paul,

Do you have the link to the Microsoft PKI course?

Lisa


>-----Original Message-----
>In article ,
in the
>microsoft.public.win2000.security news group, Go:gul
> says...
>
>> Question 1:
>>
>> As I understand it, I am supposed to do all my requests
on the
>> subordinate server and leave the CA root alone.
However, If I do this
>> then the CA Root server only ever shows (in the past 48
hours at
>> least), the certificates which were issued directly
from itself. It
>> does not show the certificates issued or revoked or
failed which were
>> produced as a result of requests from the subordinate
server.
>>
>> Should activity on the CA subordinate server not be
reflected in the
>> CA Root server (as it is the ultimate controller of
this system)?
>
>Nope. Each CA will only ever display the certificates
that it has
>issued. You're lacking a basic understanding of how PKI
works here. The
>root CA provides the top level of trust in your PKI, it
doesn't control
>the other CAs.
>
>>
>> Question 2:
>>
>> I have exported a certificate and imported it into
Outlook 2002. It
>> (Outlook) is capable of sending signed messages and
recognising signed
>> messages sent from a different account as signed.
>>
>> It fails completely with any attempt to encrypt a
message and send it
>> to a user account which has already sent a signed
message. I get a
>> warning that there is a problem with the other persons
certificate and
>> that it is not trusted.
>
>Based on which template? Are you sure that you've got a
certificate that
>is good for both signing and encryption?
>
>>
>> Question 3:
>>
>> There are alot of options for what type of encryption I
want when I
>> request a certificate. Can someone tell me what the
best all round
>> secure setting is when requesting a certificate through
the "request
>> form"?
>
>This is a big topic, and you really need to start with
the basics. PKI,
>given its importance and nature, is not something you can
get "almost"
>right and expect it to work, or to be secure. I'd suggest
taking a
>course in PKI (Microsoft has a great one), or at the very
least reading
>the help files, and the white papers, etc, on the
Microsoft web site.
>
>
>--
>Paul Adare
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>.
>

Designing and Managing a Windows Public Key Infrastructure
http://www.microsoft.com/learning/syllabi/en-us/2821Afinal.mspx

Mike

"Lisa_at_work" wrote in message
news:16ab01c48c44$eb3ec240$a301280a@phx.gbl...
> Paul,
>
> Do you have the link to the Microsoft PKI course?
>
> Lisa
>
>
> >-----Original Message-----
> >In article ,
> in the
> >microsoft.public.win2000.security news group, Go:gul
> > says...
> >
> >> Question 1:
> >>
> >> As I understand it, I am supposed to do all my requests
> on the
> >> subordinate server and leave the CA root alone.
> However, If I do this
> >> then the CA Root server only ever shows (in the past 48
> hours at
> >> least), the certificates which were issued directly
> from itself. It
> >> does not show the certificates issued or revoked or
> failed which were
> >> produced as a result of requests from the subordinate
> server.
> >>
> >> Should activity on the CA subordinate server not be
> reflected in the
> >> CA Root server (as it is the ultimate controller of
> this system)?
> >
> >Nope. Each CA will only ever display the certificates
> that it has
> >issued. You're lacking a basic understanding of how PKI
> works here. The
> >root CA provides the top level of trust in your PKI, it
> doesn't control
> >the other CAs.
> >
> >>
> >> Question 2:
> >>
> >> I have exported a certificate and imported it into
> Outlook 2002. It
> >> (Outlook) is capable of sending signed messages and
> recognising signed
> >> messages sent from a different account as signed.
> >>
> >> It fails completely with any attempt to encrypt a
> message and send it
> >> to a user account which has already sent a signed
> message. I get a
> >> warning that there is a problem with the other persons
> certificate and
> >> that it is not trusted.
> >
> >Based on which template? Are you sure that you've got a
> certificate that
> >is good for both signing and encryption?
> >
> >>
> >> Question 3:
> >>
> >> There are alot of options for what type of encryption I
> want when I
> >> request a certificate. Can someone tell me what the
> best all round
> >> secure setting is when requesting a certificate through
> the "request
> >> form"?
> >
> >This is a big topic, and you really need to start with
> the basics. PKI,
> >given its importance and nature, is not something you can
> get "almost"
> >right and expect it to work, or to be secure. I'd suggest
> taking a
> >course in PKI (Microsoft has a great one), or at the very
> least reading
> >the help files, and the white papers, etc, on the
> Microsoft web site.
> >
> >
> >--
> >Paul Adare
> >This posting is provided "AS IS" with no warranties, and
> confers no
> >rights.
> >.
> >