Windows 2003 Standard or Enterprise to deploy certificates

I am working with a consultant to deploy a couple Wireless Access Points.  We plan to set up EAP-TLS for Authentication and deploy the certificates via group policy.  They are telling me that we need to have Windows 2003 Enterprise for the Certificate Authority Server.  Is this correct?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I've installed Certificate services on a Windows 2003 standard edition before.  I've never heard of having to install it only on a Enterprise server....I think they might be getting confused with the server having to be an "Enterpise Root CA"...
Here's some more info...

But, maybe the consultant is right....But I'm not entirely convinced.
Hmmmm.....Looks like the consulltant is right.....

I would have sworn I've installed CA on Standard before....oh well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

You need Windows 2003 Enterprise to deploy a Root CA and generate your own subordinate certs, yes.
ParanormasticCryptographic EngineerCommented:
Normally in a 2 tier system you would want the root to be 2003 or 2008 Standard Edition and not joined to a domain.  The issuing subordinate CA you would want to be 2003 or 2008 Enterprise Edition and would typically be joined to the domain.

The root would be installed as an Enterprise Root CA, and the issuing as an Enterprise Subordinate CA.  This is essentially how we do things here, except we have a 3 tier PKI due to higher policy level requirements.

You want Enterprise Edition for CA that issues end device / end user certificates so you have proper access to the templates and such.  Technically Standard Edition would be functional, but very restricted for what you would likely want to do with it in the long term, if not the short term.

The 2 tier system is highly recommended vs. a single CA for security reasons as well as a reduction in long term issues, such as adding additional CA's (e.g. one in domainA and another in domainB, or one for issuing certs to partners, etc.), moving a CA to another server, and many more reasons.

Also, it is generally advisable to not install any CA on a domain controller as things get messy in that specific environment.  It is best to have dedicated boxes, but if you can't do that at least don't do it on a DC - upgrades to the CA and/or the DC get very complicated, not to mention many other reasons to not do this.
ParanormasticCryptographic EngineerCommented:
You might want to look at a 2008 CA for supporting SCEP - this might fall into what you are looking to do....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.