using certs in non-domain environments:

  • Thread starter Thread starter Kristin Griffin
  • Start date Start date
K

Kristin Griffin

Hi there.

I have been learning about PKI and AD CS. And there is alot of material
about using active Directory to hand out certs.
But what if you were in a non-domain environment. How would 2 companies use
each other's certs? Let's say that company A and company B each had AD CS
running on standalone machines. Let's say they each were part of a
workgroup instead of a domain.

In order to use each other's certts, would they need to manually exchange
certs, put them each other's cert store, and also exchange the Root CA cert
and put that in the certificate store (in two places I think)?

Or am I thinking about this all wrong?

Thanks for your help.

Kristin
 
On Wed, 23 Jan 2008 19:40:52 -0800, Kristin Griffin wrote:

> I have been learning about PKI and AD CS. And there is alot of material
> about using active Directory to hand out certs.
> But what if you were in a non-domain environment. How would 2 companies use
> each other's certs? Let's say that company A and company B each had AD CS
> running on standalone machines. Let's say they each were part of a
> workgroup instead of a domain.
>
> In order to use each other's certts, would they need to manually exchange
> certs, put them each other's cert store, and also exchange the Root CA cert
> and put that in the certificate store (in two places I think)?

They would need to install each other's root CA certificate in all
computers in their org that needed to trust both their own root, and the
other org's root. The installation of the root certs should be done with a
local administrator account on each computer so that all users of the
computers would trust both their own root and the other org's root.
I don't know what you mean by "in two places I think".
Keep in mind that by doing this each org would trust *every* certificate
issued by the other org.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
You might have mail.
 
The best answer would be to use Cross-Certification with qualified
subordination constraints.
The two companies would cross-certify each other's CA hierarchies and define
explictly what form(s) of certificates are trusted from the other PKI.
Putting the other organization's certificates into your organization's
trusted root store provides complete and utter trust (may not be desired).
Now, if this is a merger or part of an umbrella group, it could be desired.

See my whitepaper on this at www.microsoft.com/pki
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx

As for non-domain environments....
No easy answer here. Typically, you are looking at generating certificate
requests (often referred to as CSRs) and then submit the CSRs to CAs.
Another option is to deploy standalone CAs to the non-domain environment,
and issue certificates based on the content of the certificate request,
rather than using certificate templates.

Brian

"Kristin Griffin" <kristin.l.griffin@gmail.com> wrote in message
news:%23zsb0sjXIHA.4440@TK2MSFTNGP06.phx.gbl...
> Hi there.
>
> I have been learning about PKI and AD CS. And there is alot of material
> about using active Directory to hand out certs.
> But what if you were in a non-domain environment. How would 2 companies
> use each other's certs? Let's say that company A and company B each had AD
> CS running on standalone machines. Let's say they each were part of a
> workgroup instead of a domain.
>
> In order to use each other's certts, would they need to manually exchange
> certs, put them each other's cert store, and also exchange the Root CA
> cert and put that in the certificate store (in two places I think)?
>
> Or am I thinking about this all wrong?
>
> Thanks for your help.
>
> Kristin
>
 
Paul,
Thanks for the reply. What I meant by "two places I think" was that you
need to put the root CA cert of the other company you want to trust into two
places in your certificate store. I think you have to put them in "Trusted
Root Certificate Authorities", but also in "Third Party Root Certificate
Authorities". Is that true, or do ou just need to put the rootCA cert in one
place?

Brian, I appreciate your recommendations. I have read your info on
cross-certification in your book and will read your whitepaper shortly. You
said: "issue certificates based on the content of the certificate request,
rather than using certificate templates."

I am afraid you lost me a bit there. Can you explain that in laymans terms?
Thanks alot guys! Cheers, Kristin

"Kristin Griffin" wrote:

> Hi there.
>
> I have been learning about PKI and AD CS. And there is alot of material
> about using active Directory to hand out certs.
> But what if you were in a non-domain environment. How would 2 companies use
> each other's certs? Let's say that company A and company B each had AD CS
> running on standalone machines. Let's say they each were part of a
> workgroup instead of a domain.
>
> In order to use each other's certts, would they need to manually exchange
> certs, put them each other's cert store, and also exchange the Root CA cert
> and put that in the certificate store (in two places I think)?
>
> Or am I thinking about this all wrong?
>
> Thanks for your help.
>
> Kristin
>
>
>
 
Back
Top