Re: Certificate Services - What is it?

From: Mark Gamache (mark.gamache_at_css-security.com.nospam)
Date: 02/23/05


Date: Tue, 22 Feb 2005 16:20:06 -0800

Are you looking to get strong authentication of the clients or just protect
the data flow? SSL does require certificates, but this doesn't mean you
need to run a certificate authority. You can buy the certificates form
someone like Geotrust. The certs can be used to protect the data session,
authenticate the server to the user and to authenticate the user to the
server.

Depending on what you are looking to do, you may only need two certs. If
you are just protecting the session and not even interested in letting the
clients verify the authenticity of the server, you can use MS tools or
openSSL to create self signed certs. If you want to authenticate the server
to the clients, you will want certs that are chained (signed by) to a
trusted root CA. If you want the server to validate the users by
certificates then each client needs a certificate. Many sights use SSL to
authenticate the server an then protect the user's authentication method
(i.e. Forms) If you do use client certs, an MS CA is a great way to go.

Cheers,

-- 
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Frank Pinto" <Frank Pinto@discussions.microsoft.com> wrote in message 
news:3D20D5A9-1E38-4A79-AAFE-15D1B93615DE@microsoft.com...
>I would like to use ssl to secure an extranet website.  Do I need to run
> Certificate Services?  I want to secure a couple websites actually.  A 
> client
> site and an employee site.
>
> Can anyone shed light on this?
>
> Thanks,
> Frank Pinto