Configuration naming context for multi-forest
Hi, I have been trying to find a solid anwser on how to setup a 2 tier PKI (Offline Root CA, and online issuing CA) for a multi forest environment. I plan to have a single Offline Root CA, and 1 issuing Enterprise CA for each forest. The forests have no trust between them but the main purpose is to issue SSL certificate to Web servers on domain A, and test the SSL connection using PC from domain B. I have find out that in a multi-forest PKI, the CDP has to be accessible for all forests, therefore the CDP will be a public web server. I have 2 questions, 1. Can the CDP be referred with IP address instead of a DNS name? 2. How should I declare the "Configuration Naming Context" in the Root CA for multi-forest? (post installation script)(All forest has different LDAP name, so I am not sure which forestRootDomain I should declare in the Root CA)
April 12th, 2010 7:21pm

> 1. Can the CDP be referred with IP address instead of a DNS name? yes, you can. > 2. How should I declare the "Configuration Naming Context" in the Root CA for multi-forest? you must specify *current* forest root domain for forest naming context. In Offline CA case, you can specify only one forest name. I would advice to not use LDAP urls to retrieve CRT/CRL files. Instead it is recommended to use publically and internally available web web server (single, cluster or multiple servers). http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2010 7:30pm

1. No, you have to use a DNS name. You need to decide on a name that can be accessed from both forests. Even if the name refers to different IP addresses, that's fine, as long as the name can be properly resolved from both forests. 2. Don't worry about the Configuration Naming Context in the Root CA post installation script. You're not going to be using LDAP locations for the CDP so there's no real point. Use Group Policy to publish the root CA cert in both forests, and specify only an http:// URL for the CDP location. Paul Adare CTO IdentIT Inc. ILM MVP
April 12th, 2010 7:30pm

> No, you have to use a DNS name can you explain why I can't? I know that this is not recommended, but I can use IP addresses in CDP/AIA extensions.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2010 7:38pm

Thanks Vadims for the answer, What is actually done when I am specifying the "Configuration Naming Context", the book I am reading does not explain it thoroughly. Andrew
April 12th, 2010 10:37pm

Hi, Configuration naming context is the configuration partition in the AD forest, cn=configuration,dc=YourDomainName. The "Publishing the CRL and CA Certificate into Active Directory" section of the following article may help you understand what it actually does: Walkthrough (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003) http://technet.microsoft.com/en-us/library/cc787276(WS.10).aspx If there is anything unclear, please feel free to respond back. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2010 11:09am

Hi, I have two AD forests and a 3-tier PKI hierarchy. I read that I have to remove ldap paths from CDP (now it only includes http) on the policy CA (second tier) to make this work, so I did and renewed the policy CA cert and republished the CRL. Then I copied, as usual, the .crt and .crl files from the offline policy CA to the online issuing CA. When trying to publish them into AD, I receive the following error: A required CRL extension is missing Certutil: -dsPublish command FAILED: 0x80070490 (WIN32: 1168) Certutil: Element not found. Is there a way out of the paradox? Best regards, Sven
April 29th, 2010 3:58pm

have you specified CA computer name in certutil? You need to use the following format: certutil -dspublish -f path\file.crl cdp CAComputerName where CAComputerName is the name of corresponding CA computer account.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 7:05pm

If there are no LDAP paths, there is *no* need to publish the CRL into Active Directory. Nothing is going to try and download it. Although Vadims is correct that you can publish it by providing the name of the root CA as the container name, there is really no point, since no one will download it from there. That being said, you do want to publish the Root CA certificate into AD as it will then propogate to all domain-joined PCs as a trusted root CA. Brian
April 29th, 2010 7:36pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics