shutting down a trusted CA and raising a new trusted CA

Discussion in 'Security Software' started by cobra, Jul 14, 2005.

  1. cobra

    cobra Guest

    hi all

    currently we have a trusted CA running and issuing certificates, but since
    it is not accessible most of the time, Certifcates for IIS Portal Users can
    not be issued in time.

    Therefor we need to make a new TRUSTED CA in our region.

    There are approx 500 Users and 100 user migrations per year.

    Since the Certificate that the CA issues must be trusted, what options do we
    have?

    Can we have a new CA, and make a trusted root certificate for the IIS Server
    and make Certificates for all users and map the new ones to the already
    existing users on the IIS (like many-to-one)

    What needs to be done so the end user does not realize that there is a new
    CA, and what is needed for a trusted certifacate (all green, no yellow in the
    dialog box)

    im sorry if my explanation is a bit rough, but im doing a solution design
    and am not really a CA specialist. It would be helpfull to have some valuable
    input form professionals on what is realistic and what is not.
     
    cobra, Jul 14, 2005
    #1
    1. Advertisements

  2. In the real world, the root CA is always store offline for security reason.
    So what they do is to create a CA Hierarchy, and let the lower level CA
    (issuing CA) for certificate delpoyment. This will be transparent to users
    regardless of whether the root CA is offline or not as it is now not the one
    who issue cert directly.

    Check out on this site for more detail deployment infor.

    "http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/27bdfc11-96fd-4082-8458-8111af7d6abd.mspx"

    HTH.
     
    Wong Tuck Wah, Jul 15, 2005
    #2
    1. Advertisements

  3. cobra

    cobra Guest

    yes the issuing CA is stored offline. So i have to know if i have to move the
    root CA or only the issuing CA...correct?

    so actually making a new issuing CA should not be a problem, right?
     
    cobra, Jul 15, 2005
    #3
  4. Absolutely yes, you can install another issuing CA under the existing CA.
    This new CA will be used for future issuing of certificates, even thought the
    existing CA is shutoff.
     
    Wong Tuck Wah, Jul 16, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.