B
Brian Day
Guest
Hi Folks,
We are working towards enabling smart-card logon in one of our child domains
and I was curious if anyone has some best practices they would like to share
as far as the Enrollment Agent & Smart Card Certificate Templates. I have
the Microsoft Press Server 2003 PKI book on the way, but it isn't here quite
yet.
I will be duplicating the existing EA template and assigning it to their
issuing CA. I will then changing the permissions on it to only be available
to the EA security group in the domain. Should I mark the existing unused
Enrollment Agent template as superseded by this one or leave it alone? When
they are done with EA enrollment, I'll pull the template from the issuing
CA, but not delete it from AD.
I will also be duplicating the Smart Cart template and assign it to their
issuing CA I will also lock it down to their EA security group and require a
Certificate Request OID for any request.
What else should I consider? I know there is probably a ton which should be
sifted through, but it is becoming a bit of a rush job for something I fully
feel should NEVER EVER be a rush job. These things take planning, but I'm
stuck learning with trial by fire here.
The offline Root CA is 2003 Enterprise.
The existing Issuing CA is 2003 Enterprise. (Using this to duplicate the
template)
The new Issuing CA they'll be using is Server 2008 Enterprise. (Not yet
online, later today probabaly)
Thank you!
p.s.
They want to do certs for WLAN Vista clients & WAPs too, but I'll post a
different thread for that.
We are working towards enabling smart-card logon in one of our child domains
and I was curious if anyone has some best practices they would like to share
as far as the Enrollment Agent & Smart Card Certificate Templates. I have
the Microsoft Press Server 2003 PKI book on the way, but it isn't here quite
yet.
I will be duplicating the existing EA template and assigning it to their
issuing CA. I will then changing the permissions on it to only be available
to the EA security group in the domain. Should I mark the existing unused
Enrollment Agent template as superseded by this one or leave it alone? When
they are done with EA enrollment, I'll pull the template from the issuing
CA, but not delete it from AD.
I will also be duplicating the Smart Cart template and assign it to their
issuing CA I will also lock it down to their EA security group and require a
Certificate Request OID for any request.
What else should I consider? I know there is probably a ton which should be
sifted through, but it is becoming a bit of a rush job for something I fully
feel should NEVER EVER be a rush job. These things take planning, but I'm
stuck learning with trial by fire here.
The offline Root CA is 2003 Enterprise.
The existing Issuing CA is 2003 Enterprise. (Using this to duplicate the
template)
The new Issuing CA they'll be using is Server 2008 Enterprise. (Not yet
online, later today probabaly)
Thank you!
p.s.
They want to do certs for WLAN Vista clients & WAPs too, but I'll post a
different thread for that.