Windows 2003 Standard or Enterprise to deploy certificates

I am working with a consultant to deploy a couple Wireless Access Points.  We plan to set up EAP-TLS for Authentication and deploy the certificates via group policy.  They are telling me that we need to have Windows 2003 Enterprise for the Certificate Authority Server.  Is this correct?
bluespringsitAsked:
Who is Participating?
 
keamoConnect With a Mentor Commented:
Hmmmm.....Looks like the consulltant is right.....

http://technet.microsoft.com/en-us/library/aa998956(EXCHG.65).aspx

I would have sworn I've installed CA on Standard before....oh well.
0
 
keamoCommented:
I've installed Certificate services on a Windows 2003 standard edition before.  I've never heard of having to install it only on a Enterprise server....I think they might be getting confused with the server having to be an "Enterpise Root CA"...
0
 
keamoCommented:
Here's some more info...

http://technet.microsoft.com/en-us/library/cc756120.aspx

But, maybe the consultant is right....But I'm not entirely convinced.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
SCarrisonCommented:
You need Windows 2003 Enterprise to deploy a Root CA and generate your own subordinate certs, yes.
0
 
ParanormasticCryptographic EngineerCommented:
Normally in a 2 tier system you would want the root to be 2003 or 2008 Standard Edition and not joined to a domain.  The issuing subordinate CA you would want to be 2003 or 2008 Enterprise Edition and would typically be joined to the domain.

The root would be installed as an Enterprise Root CA, and the issuing as an Enterprise Subordinate CA.  This is essentially how we do things here, except we have a 3 tier PKI due to higher policy level requirements.

You want Enterprise Edition for CA that issues end device / end user certificates so you have proper access to the templates and such.  Technically Standard Edition would be functional, but very restricted for what you would likely want to do with it in the long term, if not the short term.

The 2 tier system is highly recommended vs. a single CA for security reasons as well as a reduction in long term issues, such as adding additional CA's (e.g. one in domainA and another in domainB, or one for issuing certs to partners, etc.), moving a CA to another server, and many more reasons.

Also, it is generally advisable to not install any CA on a domain controller as things get messy in that specific environment.  It is best to have dedicated boxes, but if you can't do that at least don't do it on a DC - upgrades to the CA and/or the DC get very complicated, not to mention many other reasons to not do this.
0
 
ParanormasticCryptographic EngineerCommented:
You might want to look at a 2008 CA for supporting SCEP - this might fall into what you are looking to do....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.