How to choose between Enterprise or Standalone CA?
Posted on 2011-03-01
I've searched for quite some time out on the 'Net...still need some clarification regarding certificate services.
From what I've been able to glean from my research, I believe the following to be true:
A) It's fairly easy to install certificate services on either Server 2003 or 2008
B) You can install either standalone or enterprise CA on Server 2003 STD
C) While it is possible to install a CA on your domain controller, nobody really advises doing that since you cannot decommission that DC easily without removing the CA
I'm having a hard time understanding *for sure* exactly which I need; standalone or enterprise CA.
1) Could somebody please give a layman's explanation as to why you would *need* enterprise? Please don't post links...I've seen all the links! I can't find that "basic primer" that leads you through the decision process.
I'm sure one of the questions that will arise is "So what do you want to do with your certs?" I have a number of internal web servers that would benefit from having an internally generated cert. I fully understand the differences between certs created by an external CA vs the internal CA...along with the associated limitations. I also could use certs for some of my networking equipment such as access points and Cisco ASA devices, so network infrastructure certs would be needed. I'm sure there will be a need at some point for special certs with certain apps...but we're not there yet. In a nutshell, I want to be able to handle any kind of cert that *can* be done internally while we would continue to use purchased external certs for public facing apps. Our infrastructure is about 70 servers with 300 PCs; about half of which depend on VPN services into a Cisco ASA for connectivity.
We are using Server 2003 Active Directory Services. Two domain controllers (2003)
2) I've seen a few references that you must have Enterprise Server 2008 to install an Enterprise CA on that OS. Is this true?
3) If I were to install an Enterprise CA now on Server 2003 (STD, assuming item B is true above) can it be easily moved to a 2008 server at a later point? (And would that 2008 server have to be an Enterprise OS, assuming Question 2 above?)
Note that I've posted 3 questions with #3 dependent upon #2