Example: Selecting an Extended CA Infrastructure Configuration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Organizations frequently enter into joint ventures, which can involve the sharing of confidential information, such as engineering data that stored is on an internal network. To facilitate this type of data sharing, an organization can initiate a cross-certified relationship that allows some, but not all, employees of another organization to access data on its network.

One way to enable this cross-certified relationship is to create a subordinate CA to a high security Issuing CA. This subordinate CA is then used to facilitate the joint venture relationship. Although it is possible to cross-certify directly with a corporate high security CA, the advantage of using a separate CA specifically for the joint venture is that it allows you to restrict the capabilities of the people who work for the other partners in the joint venture. They cannot, for example, use their certificates for unintended purposes or to access portions of the network that are not relevant to the joint venture.

Figure 16.14 illustrates the position of the new CA in the CA infrastructure of one organization.

Figure 16.14   Extended CA Infrastructure

Creating the CA alone does not enable the new joint venture operations. To enable this sharing, before the CAs are created, administrators must configure the cross-certificates that qualify the trust relationship between the two organizations. These cross-certificates define where, in the first organization, holders of the certificates belonging to the second organization can and cannot go, and which applications they can and cannot use. For information about how to implement these namespace and application limits, see "Using Constraints and Policy Mapping" later in this chapter.