Windows 2003 Standard or Enterprise to deploy certificates

bluespringsit
bluespringsit used Ask the Experts™
on
I am working with a consultant to deploy a couple Wireless Access Points.  We plan to set up EAP-TLS for Authentication and deploy the certificates via group policy.  They are telling me that we need to have Windows 2003 Enterprise for the Certificate Authority Server.  Is this correct?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
I've installed Certificate services on a Windows 2003 standard edition before.  I've never heard of having to install it only on a Enterprise server....I think they might be getting confused with the server having to be an "Enterpise Root CA"...

Commented:
Here's some more info...

http://technet.microsoft.com/en-us/library/cc756120.aspx

But, maybe the consultant is right....But I'm not entirely convinced.
Commented:
Hmmmm.....Looks like the consulltant is right.....

http://technet.microsoft.com/en-us/library/aa998956(EXCHG.65).aspx

I would have sworn I've installed CA on Standard before....oh well.
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

You need Windows 2003 Enterprise to deploy a Root CA and generate your own subordinate certs, yes.
ParanormasticCryptographic Engineer

Commented:
Normally in a 2 tier system you would want the root to be 2003 or 2008 Standard Edition and not joined to a domain.  The issuing subordinate CA you would want to be 2003 or 2008 Enterprise Edition and would typically be joined to the domain.

The root would be installed as an Enterprise Root CA, and the issuing as an Enterprise Subordinate CA.  This is essentially how we do things here, except we have a 3 tier PKI due to higher policy level requirements.

You want Enterprise Edition for CA that issues end device / end user certificates so you have proper access to the templates and such.  Technically Standard Edition would be functional, but very restricted for what you would likely want to do with it in the long term, if not the short term.

The 2 tier system is highly recommended vs. a single CA for security reasons as well as a reduction in long term issues, such as adding additional CA's (e.g. one in domainA and another in domainB, or one for issuing certs to partners, etc.), moving a CA to another server, and many more reasons.

Also, it is generally advisable to not install any CA on a domain controller as things get messy in that specific environment.  It is best to have dedicated boxes, but if you can't do that at least don't do it on a DC - upgrades to the CA and/or the DC get very complicated, not to mention many other reasons to not do this.
ParanormasticCryptographic Engineer

Commented:
You might want to look at a 2008 CA for supporting SCEP - this might fall into what you are looking to do....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial