Jump to content

SCEP implementation

Guest Neil

By Guest Neil
in Techno Babble

 Share

Recommended Posts

Guest Neil

Guest Neil

Posted
Posted

We have developed our Microsoft Server 2003 R2 PKI to issue certificates to

Windows devices and to Cisco routers. The current configuration is a single

Standalone Root CA which has been used to authenticate an Enterprise

Subordinate CA and a Standalone Subordinate CA with SCEP. The Standalone

root CA has then been taken off-line.

 

 

 

Our Windows devices are issued certificates from the Enterprise Subordinate

CA and our Cisco routers are issued certificates from the Standalone CA with

SCEP. We have a backup site configured with Enterprise Subordinates and

Standalone subordinates also.

 

 

 

We are looking at consolidating this deployment by removing the standalone

CA with SCEP and installing SCEP on our Enterprise Subordinate CA? This will

result in all windows devices and Cisco devices being issued certificates

from the one Enterprise subordinate CA.

 

 

 

My question is: Are there any known problems, security, maintenance or

operational issues with this approach?

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Paul Adare - MVP

Guest Paul Adare - MVP

Posted
Posted

On Wed, 16 Jul 2008 21:30:00 -0700, Neil wrote:

<span style="color:blue">

> My question is: Are there any known problems, security, maintenance or

> operational issues with this approach?</span>

 

Nope.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

On line: A statement shouted at tennis judges in response to serves being

called out.

Guest Neil

Guest Neil

Posted
Posted

Hi Paul

thanks for the response.

 

On the SCEP download page there are the following quotes,

http://www.microsoft.com/downloads/details...&displaylang=en

 

"When using a standalone CA, the CA should be in a separate certification

hierarchy from all other CAs in your organization. This helps prevent any

unintended trust of SCEP clients."

 

"When using a standalone CA with SCEP as a separate certification hierarchy,

the root CA's certificate and chain should not be trusted by other clients in

the enterprise. In this configuration, the SCEP-oriented PKI is only intended

for trust by intermediate network devices that use SCEP."

 

So if I use an enterprise CA for SCEP does that remove the need for having a

seperate certification hierarchy?

If someone could please elaborate on why Microsoft have suggested a

standalone SCEP CA should be in a seperate PKI hierarchy.

Thanks

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Wed, 16 Jul 2008 21:30:00 -0700, Neil wrote:

> <span style="color:green">

> > My question is: Are there any known problems, security, maintenance or

> > operational issues with this approach?</span>

>

> Nope.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> On line: A statement shouted at tennis judges in response to serves being

> called out.

> </span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...