Why POLICY CAs?
Hi,
We are planning to implement internal certification authority in our organization.
It will be great if someone explains me what POLICY CAs really do in CA hierarchy?
July 23rd, 2012 1:53am
For details about Certificates,the Security forum is the better place:
http://social.technet.microsoft.com/Forums/en/winserversecurity/threads
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator |
My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 2:00am
Hi,
We are planning to implement internal certification authority in our organization.
It will be great if someone explains me what POLICY CAs really do in CA hierarchy?
July 23rd, 2012 2:19am
Hello,
please see
http://technet.microsoft.com/en-us/library/cc756989(WS.10).aspx especially:
"Enterprise and stand-alone CAs can be configured as either Root CAs or Subordinate CAs.
Subordinate CAs can further be configured as either Intermediate CAs
(also referred to as a policy CA) or Issuing CAs."Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 3:23am
Hello,
A policy CA is typically located on the second-tier of a CA hierarchy, directly beneath the root CA. In this scenario, the root CA is often referred to as a parent CA, because the root CA issued a Subordinate Certification Authority certificate to the policy
CA. In fact, any CA that issues a certificate to another CA is referred to as a parent CA. The CA that receives the certificate from a parent CA is known as a subordinate CA.
The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI, the processes that validate the identity of certificate holders, and the processes that enforce the procedures that manage certificates. A
policy CA issues certificates only to other CAs. The CAs that receive these certificates must uphold and enforce the policies that the policy CA defined.
It is not mandatory to use policy CAs unless different divisions, sectors, or locations of your organization require different issuance policies and procedures. However, if your organization requires different issuance policies and procedures, you must add
policy CAs to the hierarchy to define each unique policy. For example, an organization can implement one policy CA for all certificates that it issues internally to employees and another policy CA for all certificates that it issues to non-employees.
Resource: http://technet.microsoft.com/en-us/library/cc779826%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
July 23rd, 2012 3:56am
Hi,
An intermediate CA is often referred to as a policy CA because it is typically used to separate classes of certificates that can be distinguished by policy. For example, policy separation includes the level of assurance that a CA provides or the geographical
location of the CA to distinguish different end-entity populations. A policy CA can be online or offline.
Note
Most organizations use one root CA and two policy CAs one to support internal users, the second to support external users.
More:
Deployment of the new Federal Common Policy CA Root Certificate
http://blogs.technet.com/b/pki/archive/2011/03/13/deployment-of-the-new-federal-common-policy-ca-root-certificate.aspx
Regards,
Yan Li
Yan Li
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2012 4:33am
Hi,
An intermediate CA is often referred to as a policy CA because it is typically used to separate classes of certificates that can be distinguished by policy. For example, policy separation includes the level of assurance that a CA provides or the geographical
location of the CA to distinguish different end-entity populations. A policy CA can be online or offline.
Note
Most organizations use one root CA and two policy CAs one to support internal users, the second to support external users.
More:
Deployment of the new Federal Common Policy CA Root Certificate
http://blogs.technet.com/b/pki/archive/2011/03/13/deployment-of-the-new-federal-common-policy-ca-root-certificate.aspx
Regards,
Yan Li
Yan Li
TechNet Community Support
July 23rd, 2012 4:40am