SCEP implementation

N

Neil

We have developed our Microsoft Server 2003 R2 PKI to issue certificates to
Windows devices and to Cisco routers. The current configuration is a single
Standalone Root CA which has been used to authenticate an Enterprise
Subordinate CA and a Standalone Subordinate CA with SCEP. The Standalone
root CA has then been taken off-line.



Our Windows devices are issued certificates from the Enterprise Subordinate
CA and our Cisco routers are issued certificates from the Standalone CA with
SCEP. We have a backup site configured with Enterprise Subordinates and
Standalone subordinates also.



We are looking at consolidating this deployment by removing the standalone
CA with SCEP and installing SCEP on our Enterprise Subordinate CA? This will
result in all windows devices and Cisco devices being issued certificates
from the one Enterprise subordinate CA.



My question is: Are there any known problems, security, maintenance or
operational issues with this approach?
 
P

Paul Adare - MVP

On Wed, 16 Jul 2008 21:30:00 -0700, Neil wrote:

> My question is: Are there any known problems, security, maintenance or
> operational issues with this approach?

Nope.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
On line: A statement shouted at tennis judges in response to serves being
called out.
 
N

Neil

Hi Paul
thanks for the response.

On the SCEP download page there are the following quotes,
http://www.microsoft.com/downloads/...63-d036-41d8-8860-1636411b2d01&displaylang=en

"When using a standalone CA, the CA should be in a separate certification
hierarchy from all other CAs in your organization. This helps prevent any
unintended trust of SCEP clients."

"When using a standalone CA with SCEP as a separate certification hierarchy,
the root CA's certificate and chain should not be trusted by other clients in
the enterprise. In this configuration, the SCEP-oriented PKI is only intended
for trust by intermediate network devices that use SCEP."

So if I use an enterprise CA for SCEP does that remove the need for having a
seperate certification hierarchy?
If someone could please elaborate on why Microsoft have suggested a
standalone SCEP CA should be in a seperate PKI hierarchy.
Thanks

"Paul Adare - MVP" wrote:

> On Wed, 16 Jul 2008 21:30:00 -0700, Neil wrote:
>
> > My question is: Are there any known problems, security, maintenance or
> > operational issues with this approach?
>
> Nope.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> On line: A statement shouted at tennis judges in response to serves being
> called out.
>
 
You must log in or register to reply here.

Similar threads

G
Question about PKI and Subordinate Authority Certificate
Replies
0
Views
57
Gustavo Garcia5
G
D
MS CS with Yubihsm2 - The device that is required by this cryptographic provider is not ready for use. 0x880090030 (-2146893776 NTE_DEVICE_NOT_READY)
Replies
0
Views
11
D0611
D
B
Strong Certificate Issues
Replies
0
Views
35
B_055
B
R
What is a good certificate expiration time and how do you decide?
Replies
0
Views
25
RCooley33
R
A
Can an internal PKI windows 2012 server be upgraded? or is migration required?
Replies
0
Views
54
Alexandre Nadeau1
A
Back
Top Bottom