Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (83)
EC Keys (2461)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (6619)
Revoked Certificates (16)
Root CA (85)
RSA Keys (5332)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
Sign Certificate Requests
In some cases, certificate requests must be digitally signed by using a valid Enrollment Agent or Signing certificate before a certification authority (CA) will process the request.
! | Important |
Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates. |
One scenario to minimize risk of Enrollment Agent certificate misuse is to have one subordinate CA with very tight administrative controls in your organization that is only used to issue Enrollment Agent certificates. Once the initial Enrollment Agent certificates have been issued, the administrator of the CA can disable the issuance of Enrollment Agent certificates until it is needed again.
By restricting the administrators who can operate the CA service on the subordinate CA, the service can be kept online for the generation and distribution of certificate revocation lists (CRLs) if necessary.
Other CAs in the hierarchy can still issue Enrollment Agent certificates if their policy settings are changed, but you can determine whether inappropriate Enrollment Agent certificates are issued by checking the Issued Certificates log for each CA regularly.
Additional references
✍: Microsoft
2016-08-01, 1438🔥, 0💬
Popular Posts:
Certificate summary - Owner: www.ups.com, Comodo EV SAN SSL, Transaction Services J2EE, "United Parc...
Certificate Summary: Subject: login.live.com Issuer: VeriSign Class 3 Extended Validation SSL CA Exp...
Certificate summary - Owner: www.siteadvisor.com, Multi-Domain SSL, Hosted by McAfee Inc., Consumer,...
What options are supported by the "keytool -genkeypair" command? Java Keytool can be used to generat...
Certificate Summary: Subject: Yandex Passport Issuer: YandexExternalCA Expiration: 2014-01-17 15:15:...