?
Solved

How to choose between Enterprise or Standalone CA?

Posted on 2011-03-01
2
Medium Priority
?
983 Views
Last Modified: 2012-05-11
I've searched for quite some time out on the 'Net...still need some clarification regarding certificate services.

From what I've been able to glean from my research, I believe the following to be true:

A) It's fairly easy to install certificate services on either Server 2003 or 2008
B) You can install either standalone or enterprise CA on Server 2003 STD
C) While it is possible to install a CA on your domain controller, nobody really advises doing that since you cannot decommission that DC easily without removing the CA

I'm having a hard time understanding *for sure* exactly which I need; standalone or enterprise CA.  

1) Could somebody please give a layman's explanation as to why you would *need* enterprise?  Please don't post links...I've seen all the links!  I can't find that "basic primer" that leads you through the decision process.

I'm sure one of the questions that will arise is "So what do you want to do with your certs?"  I have a number of internal web servers that would benefit from having an internally generated cert.  I fully understand the differences between certs created by an external CA vs the internal CA...along with the associated limitations.  I also could use certs for some of my networking equipment such as access points and Cisco ASA devices, so network infrastructure certs would be needed.  I'm sure there will be a need at some point for special certs with certain apps...but we're not there yet.  In a nutshell, I want to be able to handle any kind of cert that *can* be done internally while we would continue to use purchased external certs for public facing apps.  Our infrastructure is about 70 servers with 300 PCs; about half of which depend on VPN services into a Cisco ASA for connectivity.

We are using Server 2003 Active Directory Services.  Two domain controllers (2003)

2) I've seen a few references that you must have Enterprise Server 2008 to install an Enterprise CA on that OS.  Is this true?

3) If I were to install an Enterprise CA now on Server 2003 (STD, assuming item B is true above) can it be easily moved to a 2008 server at a later point?  (And would that 2008 server have to be an Enterprise OS, assuming Question 2 above?)

Note that I've posted 3 questions with #3 dependent upon #2
0
Comment
Question by:RickCurtis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
FemSteenkamp earned 1000 total points
ID: 35007199
if you mainly(only) use microsoft products and servers in an environment then use the enterprise mode as 99.99% of the microsoft services that interact with the AD will auto enroll their certificates and certificate management for these will be very little. If you want/need auto enrollment use enterprise...
you can still issue manual certificates as well ( as in standalone) but the CRL and enrollment is done via AD credentials.


standalone is ALL MANUAL. each certificate has to be manually enrolled and issued. this gives tighter control over certificates, and is normally used if you plan on getting a public CA to give you the ability to generate public acceptible certificates ( as root is signed by public CA)

hope this helps
0
 
LVL 10

Assisted Solution

by:fm250
fm250 earned 1000 total points
ID: 35009063
2 nd Question is true:
Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

3rd question:
 you will have to install the services and CAs on the 2008. you will have more problems trying to move them.

Also (in addition to FemSteenkamp comments) on Q 1:
 enterprise CA creates an exchange certificate periodically (by default, weekly), and returns the exchange certificate upon request of a client

Hope this helps
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question