We are implementing a new PKI environment. We are currently planning on only having one issuing CA and one CRL for our domain. However, I was thinking that we might have a problem in our management network. Our management network is a less secure network that we use RODCs (Read Only Domain Controllers) in. So the systems in this network are still domain joined, but they are on an isolated network with firewalls between them and the "normal" corporate network.
My question is, how will the servers in this management network contact the issuing/CRL servers? I found an article (http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx) that shows port requirements. I have some questions though.
1. The first 3 accesses (ports 464, 389, 636) are all from the issuing/CRL servers to the Writable DCs, correct? So issuing CA -> DCs and CRL -> DCs? This shouldn't be a problem at all, as all of these servers are on the internal network.
2. The 4th access, from "All XP clients requesting certs" needs access to the CA. Are they talking about the issuing CA here, or the CRL? Do the clients not need access to both the issuing and the CRL?
3. The 5th access, from "all clients requesting certs" to "certificate enrollment web services". They are talking about the CRL here when they mention "certificate enrollment web services" correct? Additionally, when they say "all clients", they mean desktops and servers correct?
4. Final question. Is the more common solution to punch holes in the firewall from the edge network to the internal network where the issuing CA/CRL reside, or is it more common to create an additional issuing CA/CRL in each edge network? (we have 2 such edge networks, that each have their own site/network and RODCs)