Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Setting UP PKI and Certificate servers on a Windows Server 2008 R2 domain
Posted on 2010-09-03
My company has asked our team to implement a PKI solution so we can encrypt and digitally sign emails, files, authenticate users for web-based applications that are on DMZ servers (bounce authentication againts internal AD servers from the DMZ).
Ourt current environment is: Active Directory with DOmain controllers as Windows Server 2008 R2.
Multiple member servers in 2008 and some in 2003. Applications in our internal domain and some are located at the DMZ.
What is required to start this implementation? PKI server, Certificate signing (Microsoft-local vs Third-Party).
Ourt current environment is: Active Directory with DOmain controllers as Windows Server 2008 R2.
Multiple member servers in 2008 and some in 2003. Applications in our internal domain and some are located at the DMZ.
What is required to start this implementation? PKI server, Certificate signing (Microsoft-local vs Third-Party).
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
6 Comments
Active today
In windows 2k8, you'll want a Certificate Services server to handle most of the work. Certificate signing and encryption for email will only work internally for the most part. If you want an encryption system for email going outside your network, you'll want to look at third party solutions like PGP. Realistically, you'll need to determine how far reaching you want your encryption and authentication to be. AD CS is great internally, but it gets really troublesome when you go outside the LAN/WAN, because certificate distribution is limited to the domain. Same thing for web site authentication. It's a piece of cake and almost just works right out of the box if you're entirely internal. The second you break across that public/private line it gets troublesome. RSA makes a good key management system for distributing keys outside a private network, and I think there are a few other companies that do as well.
Just to sum up my recommendation on how to move forward, take a look at what you want to do. If you need to manage certificates outside your network, you should look into third party solutions. If it's going to be mostly internal, or if any part of the requirement is internal only, you'll want to allow AD CS to handle that portion because of the auto-enrollment features built in to Windows.
Just to sum up my recommendation on how to move forward, take a look at what you want to do. If you need to manage certificates outside your network, you should look into third party solutions. If it's going to be mostly internal, or if any part of the requirement is internal only, you'll want to allow AD CS to handle that portion because of the auto-enrollment features built in to Windows.
I see, so I will probably need to obtain a CA for Each of my domain controllers from a third-party to begin issuing certificates at least for inside applications and services.
If we want to do email encryption or digital signatures then the RSA route is your recommendation or that of PGP, correct?
One of the key factors that triggered this reearch was the adding a few services to be reached from the DMZ and be able to authenticate domain users from home or where ever they they can be. We already have servicea with their own certificates (webmail, citrix access, etc) which are at the DMZ but get the users authentication bounced off AD.
Thanks for your input.
If we want to do email encryption or digital signatures then the RSA route is your recommendation or that of PGP, correct?
One of the key factors that triggered this reearch was the adding a few services to be reached from the DMZ and be able to authenticate domain users from home or where ever they they can be. We already have servicea with their own certificates (webmail, citrix access, etc) which are at the DMZ but get the users authentication bounced off AD.
Thanks for your input.
Active today
You won't need to get a third party certificate for your DCs if you are only doing internal certificate generation. You will, however, need to set up the AD Certificate Services Role on a server in your network and configure it as an Enterprise Root CA. Once that's done, the certificate for that server will be distributed to all computers on the domain via GPO and they will then trust any certificate generated by that Root CA. Third party certificates are meant to be used for generating SSL certificates and a number of other types of certificates when a CA hierarchy doesn't exist already. Once you have a Root CA in your network, you can configure it to autoenroll devices and computers with certificates. Here's a step-by-step article from Mickeysoft for managing AD CS: http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx
The limitation of AD CS is that only computers that are members of the domain will automatically trust the certificates generated by the Root CA. Computers that are not part of the domain won't trust the CA until you import the Root CA's Root Certificate and set the computer to trust it.
The main limitation of any PKI system is in key distribution. There's some fascinating historical stories about key distribution issues (for instance, the German Enigma system during WWII). It is entirely possible to handle email signing and encryption outside of your network with Active Directory. The problem is that your users will have to send a key to people that the email in order for the email to be decrypted. The problem is that this very quickly becomes a logistical nightmare (not to mention the potential security issues of having your Root CA key plastered all over the internet). This is where the third party apps come in to play.
PGP's email system system provides email encryption by capturing email traffic that goes outside the network and storing it, encrypted, in a secure reception area that is accessible to the outside world. After the email is sent and stored by PGP a notification email is sent to the recipient, giving them instructions on how to log in to the secure repository and read the email. Recipients set up an account on the PGP mail repository server and read any encrypted mail without the mail actually leaving your network.
RSA's key distribution system does something different. I haven't actually used their solution before, so I don't know exact details. From their marketing materials, it looks like it provides secure key distribution through a web enrollment system similar to AD CS, but usable outside a domain. You'll probably need to contact RSA to get more specific information. Here's the website for more info: http://www.rsa.com/node.aspx?id=1224
The limitation of AD CS is that only computers that are members of the domain will automatically trust the certificates generated by the Root CA. Computers that are not part of the domain won't trust the CA until you import the Root CA's Root Certificate and set the computer to trust it.
The main limitation of any PKI system is in key distribution. There's some fascinating historical stories about key distribution issues (for instance, the German Enigma system during WWII). It is entirely possible to handle email signing and encryption outside of your network with Active Directory. The problem is that your users will have to send a key to people that the email in order for the email to be decrypted. The problem is that this very quickly becomes a logistical nightmare (not to mention the potential security issues of having your Root CA key plastered all over the internet). This is where the third party apps come in to play.
PGP's email system system provides email encryption by capturing email traffic that goes outside the network and storing it, encrypted, in a secure reception area that is accessible to the outside world. After the email is sent and stored by PGP a notification email is sent to the recipient, giving them instructions on how to log in to the secure repository and read the email. Recipients set up an account on the PGP mail repository server and read any encrypted mail without the mail actually leaving your network.
RSA's key distribution system does something different. I haven't actually used their solution before, so I don't know exact details. From their marketing materials, it looks like it provides secure key distribution through a web enrollment system similar to AD CS, but usable outside a domain. You'll probably need to contact RSA to get more specific information. Here's the website for more info: http://www.rsa.com/node.aspx?id=1224
Thanks for your detailed comment on this. I was looking at any other experts comments but I guess, even after the question was moved to another group, nobody else has an input for this.
Thanks much, I will focus my research on this and seek a direct target solution.
Definitely will do an in-house CA server for all our internal needs, per all my current readings online. R$A is out of the question, budget-wise.
Thanks a bunch.
Thanks much, I will focus my research on this and seek a direct target solution.
Definitely will do an in-house CA server for all our internal needs, per all my current readings online. R$A is out of the question, budget-wise.
Thanks a bunch.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article will help to fix the below error for MS Exchange server 2010
I. Out Of office not working
II. Certificate error "name on the security certificate is invalid or does not match the name of the site"
III. Make Internal URLs and External…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
The video tutorial explains the basics of the Exchange server Database Availability groups.
The components of this video include:
1. Automatic Failover
2. Failover Clustering
3. Active Manager
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 18 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.