Can there be Two Enterprise Certificate Authorities in a Single Domain Forest?
Paul is correct. If you have that level of politics, then tell the other team to build their own forest. I may sound like I am kidding, but politics has no place in a PKI design. In a single forest, there is only one certificate template store. If a template is available at both CAs, it is the first one that responds to the requests that will issue the certificate. You would have to set up two different sets of identical templates to do what you want, which is a waste of effort and time. I think you need to stomp your feet a little louder now and do a "proper" PKI for the organization with a single point of trust. Give them each an issuing CA and tell them to shut up. Brian
January 20th, 2012 2:34am

With a single domain forest, is it possible to install two Enterprise Certificate Authorities, one to auto issue Machine Certs and the other to auto issue User Certs? I understand there is no technical reason for two CA’s. I am in a situation where one team is pushing forward to deploy an Ent CA for machine certs in support of Wireless, but not really looking at the bigger picture (i.e. how the CA would impact the generation of User certs for email, etc). So if there becomes a problem with this first CA (i.e. unable to support User Email Certs), than can a second CA be installed to support User Certs? If not, that would provide ammo to help slow down this team. Thomas Talley
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 4:46pm

On Thu, 19 Jan 2012 21:39:24 +0000, Thomas Talley wrote: With a single domain forest, is it possible to install two Enterprise Certificate Authorities, one to auto issue Machine Certs and the other to auto issue User Certs? I understand there is no technical reason for two CA?s. I am in a situation where one team is pushing forward to deploy an Ent CA for machine certs in support of Wireless, but not really looking at the bigger picture (i.e. how the CA would impact the generation of User certs for email, etc). So if there becomes a problem with this first CA (i.e. unable to support User Email Certs), than can a second CA be installed to support User Certs? If not, that would provide ammo to help slow down this team. Yes, you can certainly do this from a technical standpoint, with no problems, however, a PKI should really be an enterprise-wide solution and not simply a quick and dirty tactical solution. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca Software: Typically silk nighties, nylons, garter belts. Contrast with hardware.
February 4th, 2012 5:36pm

Totally agree, but there is "politics" involved :( How would one ensure that the appropriate CA is used for each cert? This is in support of auto enrollment for both machine and user (but different CA's)? Thanks TomThomas Talley
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 5:57pm

Paul is correct. If you have that level of politics, then tell the other team to build their own forest. I may sound like I am kidding, but politics has no place in a PKI design. In a single forest, there is only one certificate template store. If a template is available at both CAs, it is the first one that responds to the requests that will issue the certificate. You would have to set up two different sets of identical templates to do what you want, which is a waste of effort and time. I think you need to stomp your feet a little louder now and do a "proper" PKI for the organization with a single point of trust. Give them each an issuing CA and tell them to shut up. Brian
February 4th, 2012 6:41pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics