Cert Authority--Enterprise Stand Alone or both?

[Marc O]

I am making major changes to my network infrastructure for some new
applications and for overall security that had been lacking in the past. I
would like to develop a PKI based on the Win2k CA. I have a Win2k domain
with a few Win2k3 member servers.
Here is my question I have a server that will be getting a shiny new image
and I would like it to do two things for me one is a RADIUS(IAS?) server(for
my VPNs), the other is a CA, can they live together on one hardware
platform? Do I install the CA as an enterprise or stand alone? I want to
have certs for all my domain accounts but I also have a web server that will
have access to the rest of the world and it will need certs. Can an
enterprise CA do both? I am lost any help would be greatt, thanks in
advance.
Marc

 

[Shawn Rabourn [MSFT]]

Hello Mark!

-->Yes, an IAS server and a CA can be installed on the same machine.
-->It is a lot cleaner for domain users for the CA to be Enterprise
-->Depending on the amount of traffic you are expecting on your web server
from the outside public, it may be (and usually is) more cost effective to
go with a 3rd party web server certificate. Your Windows 2000/Windows 2003
CA will not be trusted by the outside world by default, they will have to
manually trust your CA. Many 3rd party CA's are already trusted. That's
the cost analysis you will have to do for that.
-->As for having a CA do both web server certificates for a public-facing
web server and being your domain CA, it will be tricky to configure the CA
for CRL verification and it will require some maintenance. Your best bet
would be to go with an Enterprise CA for your domain and use a 3rd party Web
Server certificate.


Good Luck!

--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.

 

[Marc O]

Shawn,
Thats great, news. I was hoiping they would be compatible and as for the 3rd
party CA I agree a Thawte or Verisign will be easier.
If I use the enterprise CA for the domain can the certificate assigned to
accounts with email be used to send 'signed/secured' email like a PGP? If so
will it good just within the domain or will it be good on email going
outside? Thanks again for your help.
Cheers,
Marc

 

[Chris Vain]

I'm working on a using Microsoft (Windows2000)
Certificate Services as a certificate authority for PEAP
with IAS. I'm using Group Policy to automatically
distribute computer certificates to domain computers and
everything is working fine.

My one problem is the use of certificates for non domain
computers. I can't work out how or if its possible to
request a computer certificate manually.

Does anyone have any ideas ?

Thanks,
Chris