PIX and Windoes CA Server, 7.x work with Enterprise CA?

As far as I know, the security model is still the same; one root CA and at least one issuing CA.

If you can import the old root CA somehow then it might ease the transition. Otherwise, you'll need to reissue everyone's certs.

-Gary

I guess I should have been more clear.

on a Win2K/Win2K3 Server you could only use a Standalone Root CA with the SCEP Add-on in order for the CA to allow users to enroll and get a Cert that the PIX could use. You could not use an Enterprise Root CA. (AD Integrated)

Though that was with v6 of the PIX OS. Does v7, allow you to get around the need to use SCEP and or a Standal>

That I don't know. My use of MS's CA infrastructure is in conjunction with IAS/RADIUS and Cisco WLAN controllers. We're using it because it integrates well with AD. Are you using certs for IPsec VPN authentication? You might try posting to one of the Microsoft specific groups like microsoft.public.windows.server.security or microsoft.public.internet.radius.

There may be a CA specific group on their web fora now, too, but I haven't looked in some time. The folks that read the radius group seem to be familiar with cert issues, too.

-Gary