locked
Standalone CA and Client Certificates RRS feed

  • Question

  • Hi

     

    OCS uses certificates for the following purposes:

    ·         TLS connections between client and server

    ·         MTLS connections between servers

    For Office Communications Server 2007, the following common requirements apply:

    ·         All server certificates must support server authorization (Server EKU).

    ·         All server certificates must contain a CRL Distribution Point (CDP).

     

    So as part of our OCS deployment we are thinking of creating a standalone CA then modify the CDP to point to an online HTTP location and re-issue the CA certificate, then offline the standalone CA.

     

    Does anyone see a problem with this working/not working?

     

    Also could someone clarify the following with regards to Client Certificates?

     

    1) I know the client needs certificates if you use TLS - are these deployed automatically?

    2) And if we use TCP - then I think you don't need certificates but do you lose any functionality?

     

    Thanks

     

    Dhiren

     

    Thursday, September 20, 2007 11:07 AM

Answers

  • Thanks Deli for the update.

     

    I was just weighing up our options and trying to understand how certificates work.

     

    Since my original post we have decided to implement a Root CA and 2 issuing servers and will not be going for the standalone option.

     

    The main reason for this is other projects will need certificates thus it is better to control this via an enterprise certificate solution.

     

    As Deli mentioned TLS is the way forward as this secures the data between the Client and Server plus this is a requirement if in the future we decided to federate with other companies.

     

    Regards

     

    Dhiren

     

    Tuesday, October 23, 2007 2:27 PM

All replies

  • You only need the root certificate on the client machines

    There is no need for client certificates on users machines

     

    For TCP you will loose security

    Why would you want to try without certificates, for once Microsoft instructs security up front and everyone complains

     

    Deli

     

    Thursday, October 18, 2007 10:21 PM
  • Thanks Deli for the update.

     

    I was just weighing up our options and trying to understand how certificates work.

     

    Since my original post we have decided to implement a Root CA and 2 issuing servers and will not be going for the standalone option.

     

    The main reason for this is other projects will need certificates thus it is better to control this via an enterprise certificate solution.

     

    As Deli mentioned TLS is the way forward as this secures the data between the Client and Server plus this is a requirement if in the future we decided to federate with other companies.

     

    Regards

     

    Dhiren

     

    Tuesday, October 23, 2007 2:27 PM