Joao Amador said:
- Should i install a Enterprise CA or does it have to be a Stand-Alone CA?
- If i get a "Verisign or whatever know CA" certificate does it simplify the
process.
I'm not a certsrv expert but I run a local CA for pan-am.ca for internal
stuff. I use the "Enterprise standalone CA" mode. I've run into issues and
I think I've resolved them.
I believe if you pick the "Enterprise Subordinate CA" operating mode, you
can have your CA signed by a well known CA (verisign for example). This way
your users don't have to add a new root CA - they trust Verisign by default
and will trust any subordinate CAs signed by them. The rest is seamless and
LDAPS and so on will work without security warnings.
If you want to avoid paying the Veri$ign extortion fee[1] and run your own
root (stand-alone) CA, you just need to make the root CA certificate
available to your users. The remaining paragraphs describe what I had to do
for my enterprise CA.
The certsrv service attaches the root CA cert to any certs created with the
certsrv web page (yourserver/certsrv/) so if they can deal with the "This
isn't someting you chose to trust" inital dialog when visiting certsrv for
the first time you're set. Some people let their users access certsrv
without SSL itself, which I think is asking for trouble over the open net.
I found that accessing a secure site with a browser that doesn't have the
root CA already installed takes a long time initally. Granted, I'm using
2048 bit keys and this confuses IE6 initally. However, if I install the
root CA cert first, then connections are fast. Copy the root cert as a
Base64 encoded file to a non-secure location on your web server
(
http://yourserver/your-ca-cert.crt for example) and instruct people to go
there, pick "open" and then pick "Install Certificate." Once they do that,
they're set.
Win2K and XP store root certificate information per user, so each user would
have to do the same thing on the same computer. If you enable user profiles
on Win9x the same thing happens.
[1] That's what I call it.
