IIS and enterpise sub CA on different machines

The Brain Komar texts implies that the enterprise subordinate CA (i.e.
issuing CA) needs to reside on the same machine as IIS. From a security
perspective, this seems like a poor design. From a network standpoint, it
means I have to support multiple IIS servers in my LAN.

Neither is acceptable. I would like to utilize my existing IIS server (not
on issuing CA) to provide certificate enrollment. Adding the virtual
directories seems to be pretty simple, then adding pointers from the CA to
the IIS server.

Is their anything I am missing? If someone has a good reference or web link
on how to set up using this scenario, much appreciated.


Edward W. Ray
CISSP,MCSE+Security,GCIA, GCIH

Re: IIS and enterpise sub CA on different machines

Hi,

A little confused about what you want to accomplish here. Are you talking
about the CA's web enrolment functionality?

You can "recreate" the virtual directories on any IIS box, but how exactly
is that IIS box going to provide the ability to submit cert requests if it
doesn't have Certificate Services installed? I know you mentioned "adding
pointers from the CA to the IIS server", but that doesn't really make a lot
of sense to me...

Chees
Ken


"Edward Ray" wrote in message
news:O1xRVuDVGHA.1688@TK2MSFTNGP11.phx.gbl...
: The Brain Komar texts implies that the enterprise subordinate CA (i.e.
: issuing CA) needs to reside on the same machine as IIS. From a security
: perspective, this seems like a poor design. From a network standpoint, it
: means I have to support multiple IIS servers in my LAN.
:
: Neither is acceptable. I would like to utilize my existing IIS server
(not
: on issuing CA) to provide certificate enrollment. Adding the virtual
: directories seems to be pretty simple, then adding pointers from the CA to
: the IIS server.
:
: Is their anything I am missing? If someone has a good reference or web
link
: on how to set up using this scenario, much appreciated.
:
:
: Edward W. Ray
: CISSP,MCSE+Security,GCIA, GCIH
:
:

Re: IIS and enterpise sub CA on different machines

Hi Edward,

Thanks for your post!

From your description, you want to reside the CA site from the CA server.
If I have misunderstood anything, please let me know.

As far as I know, there are no any specifications to relate the current
issue. However, I think the way you mentioned is one workaround. According
your words, adding pointer to CA server via IIS is simple.

Same with Ken, I also have a little confusion for the "enrollment
functionality". Could you please give me more details about the current
statement?

I appreciate your understanding!

Regards,

Yuan Ren
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights