6

Scenario:

  1. We have two departments within IT; Say Department-OLD and Department-NEW.
  2. A single internal PKI environment exists and a root CA (singular) is trusted by All endpoints.

Problem:

Department-New, in the same network, is doing a lot of new development. They need to issue certificates to all their systems and applications, but we don't want the remainder of the organization (Department-OLD and endpoints) to trust the certificates used by Department-NEW.

How can this be accomplished?

Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
Xorprime
  • 61
  • 1

2 Answers2

2

It might be least-problematic to set up a new root CA for Department-New for dev work. On their machines install both root certs (rootCA-general and rootCA-dev) into the trust store, on everybody else's machines only install rootCA-general.

Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
  • The certs are primarily required to ensure that there is encryption in all communication between components. The approach you suggested works fine as long as there is separation between the two and we dont want trust at all. I want to be able to trust selective hosts on the "Department-New" side
    • I want "Department-New" to not want "Department-Old" to come to "Department-Old" to issue exception based certs for systems that need to now be trusted
    • I'd not install the root CA for "Department-New" on hosts in "Department-Old" because then they'd trust certs (of "Department-New"
     – Xorprime Jul 10 '15 at 10:35
0

What are you using the certs for? You can constrain the certs at at an intermediary using

  • EKU policies (HTTPS vs Email vs SmartCards)
  • Name Constraints

The combination of above might accomplish what you're looking for

makerofthings7
  • 50,918
  • 55
  • 261
  • 556
  • EKU is not relevant (All certs are for HTTPS). How might name constraints help? Even if I restrict italic_Department-New_italic to *.new.company.com being issued eventually by company.com root CA which is trusted by everyone - systems in 'Old Department' would still trust it. It's a mixed system (Wintel+Unix) so cannot rely on AD-OU restrictions allowing New Department to just systems to say a particular OU and impose a DNS suffix etc. either! – Xorprime Jul 10 '15 at 10:37