<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-alt:"Calisto MT"; mso-font-charset:161; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-alt:"Times New Roman"; mso-font-charset:161; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman";} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} --> Dear all, Your advise on the following will be much appreciated. I have a customer (finance oriented organization) who is (CA) Certification Authority, and it has the PKI structure with (1) Root CA and (2) Subordinate CAs. He is interested on setting up Microsoft Windows 2003 R2 and Windows XP environment based on smart card authentication, in parallel with its current classic domain authentication username/password. The organization has the authority to produce smart cards that contains two (2) certificates: - one (1) authentication certificate that certifies and proves the users identity - one (1) qualified certificate that is used for the users digital signature The authentication certificate that is contained in the smart card certifies the users identity, and the qualified certificate is used for signing the data submitted. I can provide you with more details about that customers AD/PKI/CA infrastructure, upon request. At this point of time, c ustomer has created a test environment on Windows 2003-R2 for smartcard login authentication. I assume customer has two alternatives, either to import the private key of PKI-CA infrastructure on Test Win2k3 R2 Server or to merge (network-wise) the test Windows 2003-R2 server with Production PKI-CA infrastructure. Customer claims that both alternatives above, cannot be applied, due to existing PKI CA infrastructure security rules & guidelines. Is there any other alternative for this customer? Many thanks in advance for your time and support. Greetings Nick.

I am not really sure what you are asking, to be honest.In most cases where we deploy, you set up *separate* deployments and never merge a test environment into production.This means that you would deploy a *new* pki in the production network, using the procedures/scripts/policies that were approved in testBrian

Can you pls identify the confusing point? Fyi, this customer has been certified -in local market- as CA. That means it is obliged to comply with certain rules and restrictions. For instance Root CA certificates, as well as, Sub CA certificates -along with private keys- are not permitted to be placed or installed anywhere else apart from PKI-CA production infrastructure. The reason behind this, is that for example if they are installed on a random DC, they could be stolen.. Hoping now their request for alternative option to make better sense. :) Nick.

Nope