1 ICA and CRL serving 2 different domain

tosei

9/16/23, 8:19 PM

I have 1 ICA and 1 CRL and I would like it to serve 2 different domain in my setup. Is that possible? I'm running Windows Server 2019. Note, I'm not able to set a trust relationship between the 2 domains.

I was told that the host in the other domain won't be able to contact the CRL to verify the revocation list. Is this correct?

0 + 0

windows

pki

windows-server-2019

garethTheRed

9/16/23, 8:37 PM

A generic CA will issue to any domain, as long as you don't have any name constraints. However, I suspect that, as this is MS Windows, you're asking if a single CA can _automatically enrol_ to two AD domains without setting up a trust. You need to clarify your question or it could end up being closed unfortunately.

Greg Askew

9/16/23, 10:03 PM

As @garethTheRed stated, if you're looking for the same **native conveniences** that you get within a domain/forest sans trust, probably not. That said, there's nothing to prevent an organization to customize this for external entities and it is not uncommon. The US govt has probably the largest PKI infrastructure and quite complex/elaborate. Some agencies leverage the PKI of other agencies due to cost and economies of scale. There is typically no trust between agencies, or a limited IPSEC type connection at bulkhead points.

tosei

9/17/23, 3:32 AM

Thanks for the reply. Understand that there shouldn't be any constraint with signing for both domain. However, i was told that the host in the other domain won't be able to contact the CRL to verify the revocation list. Is this correct?

garethTheRed

9/17/23, 6:00 AM

The recommendation was to use LDAP for hosting your CRL, in which case it would be difficult (although not impossible) to allow read only access to the other domain's AD. However, the current recommendation is to use HTTP instead of LDAP, in which case any relying party can access it as long as the FQDN of the host resolves in both domains.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: 1 ICA and CRL serving 2 different domain

TH: 1 ICA และ CRL ให้บริการ 2 โดเมนที่แตกต่างกัน

RO: 1 ICA și CRL care deservesc 2 domenii diferite

RU: 1 ICA и CRL, обслуживающие 2 разных домена

VI: 1 ICA and CRL serving 2 different domain

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.