I will setup a two-tier CA hierarchy with offline root CA and online issuing CA. The offline root CA server will be a workgroup server with 10 year CA validity period and 2048 bit key length; the online issuing CA (subordinate CA) server is a member of a domain with 5 year CA validity period and 1024 bit key length; certificates from the issuing CA will have maximum 2 year validity period with 1024 bit key length. Are the validity periods and key lengths appropriate with best practice? I plan to use <Microsoft Strong Cryptographic Provider> to configure Cryptography for CA. Do I need to select other cryptographic service providers? The domain, where issuing CA server is a member of, is a child domain to a root domain in an AD forest. Which account should I use to install ADCS component? I plan to use a child domain account with members of the <domain admins> groups in the child domain and root domain plus the account is also the <Enterprise Admins> in the root domain. No CDP and AIA will be specified for the offline CA. But online CA should have them; I plan to publish the CDP and AIA with LDAP to the child domain first and then HTTP. I can have multiple HTTP urls, am I right? Can I host some of the HTTP urls on non issuing CA server? Actually, I would like to point them to a web NLB cluster. The main purpose of our CA solution is for 802.1x authentication with certificates for users and computers in our internal network. Thanks in advance. SJJ123

> Are the validity periods and key lengths appropriate with best practice?yes.> Do I need to select other cryptographic service providers?no, until there will not special requirements.> Which account should I use to install ADCS component?you need Enterprise Admins permissions, because CA writes themselve into Configuration partition that is replicated between all domain controllers in the forest (not domain), so your assumption is correct.> No CDP and AIA will be specified for the offline CAby default in Windows Server 2008 CA rootcertificate doesn't contain CDP extension.> I can have multiple HTTP urls, am I right?yes, Of course!> Can I host some of the HTTP urls on non issuing CA server?yes. These URLs just indicate where clients can download CRT and CRL files, so you may set any HTTP URL. You just will have to manually copy these files from CA server to Web server.> Actually, I would like to point them to a web NLB cluster.there is no any restrictions. http://www.sysadmins.lv

The validity periods are OK, I would even consider upping the issuing CA to 10 years as well (to reduce the number of renewals you perform) and to use a 2048 bit key on the issuing CA.For issuing certificates, I would not limit to only 1024 bit keys, there are cases where you want 2048 (KRA for example).It really does not matter what domain the issuing CA is a member of. As long as the person installing the CA is a member of both the local Administrators group and the Enterprise Admins group.To clarify, the root CA certificate will not have an AIA or CDP, but the certificates it issues to issuing CA *must have an AIA and CDP*The LDAP URLis always pointing to the Configuration NC which is in the forest root domain, it is impossible to point it to the child domain. The current recommendation for best practices is to use HTTP and HTTP only for all URLs. They should be hosted on a highly available Web cluster and limited to one. LDAP is only viable if all clients are forest members and running Windows 2000+ clientsSee the best practices whitepaper on revocation checking that I wrote:http://go.microsoft.com/fwlink/?LinkId=145008 Brian

Hi Brian,I am reading your book "Windows Server 2008 PKI and Certificate Security" while doing my CA design work. I am very surprised that you have replied to my question.If I select 10 validity period for the issuing CA, my end certificates to users, computers, servers, etc will have 5 year validity period, am I right?If I go for 2048 key lengths, do I have any problem with my immediately need: Windows XP SP3 is our current OS for our computers and our domain is still running Windows Server 2003 AD functional level. May I also assume that I can issue certificates to users and Windows Server 2003/2008 servers?I would like to use public OID number but I may not have enough time to wait it. If I install ADCS with private OID, may I change it with public OID from IANA?Thank you very much.Warm regards,SJJ123

I'm not Brian, but I'll try to respond:> If I select 10 validity period for the issuing CA, my end certificates to users, computers, servers, etc will have 5 year validity period, am I right?No, this will depend from validity periods that is set in the certificatetemplates (in Enterprise CA case).> If I go for 2048 key lengths, do I have any problem with my immediately need: Windows XP SP3 is our current OS for our computers and our domain is still running Windows Server 2003 AD functional levelthere should not be any issues.> I would like to use public OID number but I may not have enough time to wait it. If I install ADCS with private OID, may I change it with public OID from IANA?if this OID will be published in certs, you will need to reissue these certificates. However you may change OIDs that are used in Application and/or Issuance Policies and all new certs will contain new OID, but previously issued certs - will not contain new OID. http://www.sysadmins.lv

Adding to Vadims great answer...The validity period of a leaf/user certificate is dependent on three things:1) Remaining lifetime of the CA2) ValidityPeriodUnits/ValidityPeriod registry settings at the CA3) Certificate template validity periodIt is the minimum of the three values.If you are awaiting a public OID, I would delay deployment to that date if you plan to assert issuance policy OIDs in the CA and user certificates. It is basically going to be a redeployment (lots of renewals) once you switch the OIDsBrian

Hi Vadims, I am finalizing my plan to re-install both CAs. You have answered my question re cryptographic service provider. > > Do I need to select other cryptographic service providers? > no, until there will not special requirements. When referencing Brian's book, he has used "RSA#Microsoft Software Key Storage Provider" with sha256 in pages 123, 127, etc. Actually, the default setting is "RSA#Microsoft Software Key Storage Provider". May I also assume that hash algorithm "sha256" is better than "sha1"? If I select "RSA#Microsoft Software Key Storage Provider" with sha256, can this combination work with our Windows environment? Our Windows environment is Windows XP SP3 computers in the Windows Server 2003 R2 domain with Windows Server 2008 schema extension. Thanks, SJJ123

No.A lot of people read too much into the snapshots.As the text states, you must choose a hash algorithm supported by *all* clients on the network.If you plan to issue certificates to the XP clients, you must choose SHA1.An XP SP3 client can *validate* a certificate with a SHA256 signature, but it cannot consume a certificate (get one) with a SHA256 signature.I would use the KSP though, as you can simply change to SHA256 at a later date by running certutil.Brian

Hi Brian, Thank you very much for your answer. I will use "RSA#Microsoft Software Key Storage Provider" with sha1 during installation. Kind regards, Shang

Brian, I want to clearly understand what you posted on this topic as we have several thousand xp workstations. Are you basically saying that XP clients cannot get certs if they are signed SHA256? Not even with a hotfix/patch etc? We are just beginning to build our PKI and I want to make the right decisions to make sure there are no rebuilds for us. Thanks. Kirk Wyckoff