Windows 2008 Certificate Authority Question

A certificate Authority has just been created on our domain for the purpose of a SSTP vpn.
Now other servers such as domain controllers are requesting certificates from the CA.
What is are the consequences of this? What would the certificates be used for if provided to these servers and will it cause any troubles on the network?
LVL 1
question01Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bernardbrinkCommented:
No, you can use multiple/ a certificates to let others see(inside your site/domain) the owner is trusted.
You can use them to sign e-mail, or document. Create SSL websites etc.. And with these certificates people can see the owner is trusted.
For external use, (communication between client - customer for example) you can buy them;
Look at Verisign for instance .... http://www.verisign.com/
So, no problem, but more secure .. in my opition.
question01Author Commented:
Thanks bernard,

Can you tell me how to stop DCs from requesting certificates from the CA?
bernardbrinkCommented:
The certificate service is registered in the AD, so if i'm not mistaken, you can't stop it, because it publishes itself (and the certificates)
ParanormasticCryptographic EngineerCommented:
If you look in the Certificate Templates folder within the Certification Authority MMC on the CA server (not the Certificate Templates MMC) you can see what templates are issued to the CA - the domain controller certs are issued by default.  This helps validate that your DCs are really DCs and also helps protect certain types of traffic for the DCs.  It is generally advised to leave them alone and keep using the CA issued certificates - there is a higher level of trust implied over not using a CA issued cert.  However, you could remove the template from the CA console, remove the DC cert from each DC from Certificates (local computer) MMC, and then reboot each DC to clear its cache and they would all go back to using self-signed certs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.