Re: Cert Authority--Enterprise Stand Alone or both?
From: Chris Vain (anonymous_at_discussions.microsoft.com)
Date: 04/21/04
- Next message: Chris Vain: "Enterprise Certificate Authority and Computer Certificates"
- Previous message: Dan: "No permisson to logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Apr 2004 19:55:32 -0700
I'm working on a using Microsoft (Windows2000)
Certificate Services as a certificate authority for PEAP
with IAS. I'm using Group Policy to automatically
distribute computer certificates to domain computers and
everything is working fine.
My one problem is the use of certificates for non domain
computers. I can't work out how or if its possible to
request a computer certificate manually.
Does anyone have any ideas ?
Thanks,
Chris
>-----Original Message-----
>Shawn,
>Thats great, news. I was hoiping they would be
compatible and as for the 3rd
>party CA I agree a Thawte or Verisign will be easier.
>If I use the enterprise CA for the domain can the
certificate assigned to
>accounts with email be used to send 'signed/secured'
email like a PGP? If so
>will it good just within the domain or will it be good
on email going
>outside? Thanks again for your help.
>Cheers,
>Marc
>"Shawn Rabourn [MSFT]" <shawnrab@online.microsoft.com>
wrote in message
>news:%23VEg2yiEEHA.2640@TK2MSFTNGP09.phx.gbl...
>> Hello Mark!
>>
>> -->Yes, an IAS server and a CA can be installed on the
same machine.
>> -->It is a lot cleaner for domain users for the CA to
be Enterprise
>> -->Depending on the amount of traffic you are
expecting on your web server
>> from the outside public, it may be (and usually is)
more cost effective to
>> go with a 3rd party web server certificate. Your
Windows 2000/Windows
>2003
>> CA will not be trusted by the outside world by
default, they will have to
>> manually trust your CA. Many 3rd party CA's are
already trusted. That's
>> the cost analysis you will have to do for that.
>> -->As for having a CA do both web server certificates
for a public-facing
>> web server and being your domain CA, it will be tricky
to configure the CA
>> for CRL verification and it will require some
maintenance. Your best bet
>> would be to go with an Enterprise CA for your domain
and use a 3rd party
>Web
>> Server certificate.
>>
>>
>> Good Luck!
>>
>> --Shawn
>> This posting is provided "AS IS" with no warranties
and confers no rights.
>>
>>
>> "Marc O" <moconnor@abington.org> wrote in message
>> news:OlI9sEgEEHA.576@TK2MSFTNGP11.phx.gbl...
>> > I am making major changes to my network
infrastructure for some new
>> > applications and for overall security that had been
lacking in the past.
>I
>> > would like to develop a PKI based on the Win2k CA. I
have a Win2k domain
>> > with a few Win2k3 member servers.
>> > Here is my question I have a server that will be
getting a shiny new
>image
>> > and I would like it to do two things for me one is a
RADIUS(IAS?)
>> server(for
>> > my VPNs), the other is a CA, can they live together
on one hardware
>> > platform? Do I install the CA as an enterprise or
stand alone? I want to
>> > have certs for all my domain accounts but I also
have a web server that
>> will
>> > have access to the rest of the world and it will
need certs. Can an
>> > enterprise CA do both? I am lost any help would be
greatt, thanks in
>> > advance.
>> > Marc
>> >
>> >
>>
>>
>
>
>.
>
- Next message: Chris Vain: "Enterprise Certificate Authority and Computer Certificates"
- Previous message: Dan: "No permisson to logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
