|Applies To||Keon Certificate Authority 6.5.1|
Microsoft Windows Server 2003
Microsoft Active Directory
|Issue||How to modify the Microsoft Active Directory schema to store PKI objects when using RSA Keon Certificate Authority|
RSA Security has published an implementation guide to show how a Keon Certificate Authority (KCA) can interwork with Microsoft Active Directory (AD) (see http://rsasecurity.agora.com/rsasecured/guides/keonca_pdfs/Microsoft_ActiveDirectory_Keon_651.pdf). This document explains how KCA can be configured to use the directory services facilities of AD to store certificates and certificate revocation lists (CRLs). The example shown in the implementation guide demonstrates how the KCA can be configured to store a CA certificate and a CRL in the Organizational Unit Record on AD.
|Resolution||Please be aware that the statement in section 3 is specifically referring to storing the PKI attributes on a object class called certificationAuthority, and the statement does not relate to the example in section 1. The example in section 1 shows a common configuration where the PKI attributes are being stored in the organizationalUnit object.|
If you are setting up the connectivity following the example in the implementation guide, you must modify the Active Directory schema following the instructions in the section called "Active Directory Configurable Elements".
|Legacy Article ID||a24823|