question

Mohamedkhairy-3766 avatar image
0 Votes"
Mohamedkhairy-3766 asked Crypt32 answered

how to deploy two Tier PKI with two different domains/Forests ?

Hi Gents

i want to design PKI environment using Two Tier hierarchy. below are my requirement

  1. want to use offline Root Certificate Authority which is standalone machine "not joined to any domain"

2.two subordinate Certificate authority is located in two different domains in two different forest " Trust between the two domains should be avoided"

All tutorial i found are explaining deploying Two Tier hierarchy in the same domain for subordinate

here is the tutorial i followed

https://www.youtube.com/watch?v=uZqDjh1FMSw&list=PLUZTRmXEpBy0VB8ojNFzgmoC1s-_JwZW7&index=7
however i am stuck at the step of Domain " Certutil -setreg CA\DSConfigDN "CN=Configuration,DC=xxxx,DC=xxxx" "registration in Root CA "which require the distinguish name for the domain "refer to video number 07" so i donot know how to proceed or how to configure my Root CA for two domain to be able to publish the certificate for the two subordinate.

also i found another lab but also it focus only on one domain :

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh...

please advise if there simple clear procedure to accomplish this
Note:
we prefer 2 CAs in two domains and we offline RA server "not joined any domain " will e connected through firewall to the CAs in the two domains

Thanks in advance



windows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crypt32 avatar image
1 Vote"
Crypt32 answered

The only problem you may have in multi-forest environments -- CDP/AIA URL reachability from each forest. The problem is greatly reduced if you do not use LDAP URLs in CDP/AIA extension for all CAs in the chain. In this case, you don't need to configure certutil -setreg ca\DSConfigDN entry. It won't be used.

What you will need -- is a shared HTTP web server where your root CA will host its CRT/CRL files. This HTTP endpoint must be reachable from both forests.

Further, I would recommend to read my blog post on this subject which explains best practices on how to properly design CDP/AIA extensions on your CAs and avoid issues you entered in this thread: Designing CRL Distribution Points and Authority Information Access locations


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.