Hi,
My current project is an attempt to integrate the offline root ca that I have with my PKI setup in Windows - I'll explain further...
I have 2 Windows networks. The 1st one is an AD domain with about 70 clients and 2 domain controllers. The domain CAs exist on these DCs; one is root and one is the subordinate ca which does most of the work. I want to convert the system to an offline root model, using my offline OpenSSL-based CA as root instead of the existing DC. The subordinate would issue client and user certs as it is currently doing but the overall security profile is improved as the root is not directly available on the network.
The 2nd network is a Terminal Services environment (non-AD) and I basically want to do the same thing as described above.
I'm currently working with the TS network. I can generate a request from the CA that is installed on the Windows TS server, but I'm lost after that as far as how to generate a certficate that will satisfy the needs of this configuration.
Anybody have any experience with this kind of configuration? I'm pretty sure that it can be done, just need a bit of a boost to get it going.
Thanks...
My current project is an attempt to integrate the offline root ca that I have with my PKI setup in Windows - I'll explain further...
I have 2 Windows networks. The 1st one is an AD domain with about 70 clients and 2 domain controllers. The domain CAs exist on these DCs; one is root and one is the subordinate ca which does most of the work. I want to convert the system to an offline root model, using my offline OpenSSL-based CA as root instead of the existing DC. The subordinate would issue client and user certs as it is currently doing but the overall security profile is improved as the root is not directly available on the network.
The 2nd network is a Terminal Services environment (non-AD) and I basically want to do the same thing as described above.
I'm currently working with the TS network. I can generate a request from the CA that is installed on the Windows TS server, but I'm lost after that as far as how to generate a certficate that will satisfy the needs of this configuration.
Anybody have any experience with this kind of configuration? I'm pretty sure that it can be done, just need a bit of a boost to get it going.
Thanks...
