Best Setup Certificate CA Trusted domain Active Directory

Question

Hi All,

So just trying to workout best practice setting up CA when you have two domains with a trusted relationship.

I have a Standalone Root CA and Sub CA setup in domain A.
I have Users and Computer in Domain B.

I would like user and Computer in Domain B to auto enrol certificate. I believe I have two option for this. Setup a Web CEP and configure group policy or setup a second SubCA in Domain B.

What I would like to know is what would be the best practice. I believe if I setup a secondary Sub CA in Domain B it would be integrated with AD which has benefits but I would need to maintain two SubCA.

Thanks for your time in Advance.
Craig

Answer 1

Hi there,

For server certificate auto-enrollment, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS.

So setting up a second SubCA in Domain B would be the best practice for your requirements. Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

Configure certificate auto-enrollment https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

It is possible to have two sub-CAs. In an ideal configuration, one should have two subs ca for high availability based on usage /requirement.

---------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–