• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

certificate authority queries - windows 2003

hi i am configuring a windows 2003 domain & so far i have:

- master ad/dns/dhcp server
- file & printer server
- xp desktops
- via a cisco switch

ive been doing some reading about 'ca', but still am not sure about the following questions of mine and was hoping someone has the knowledge to give me a 'yes or no' answer & maybe some extra advice for each!!

qns1. is it ok to go ahead & install a 'ca' for a internal local domain ?

qns2.  should i use a 3rd party 'ca' if connecting 1 domain to another or multiple if geographically separated ?

qns3.  is it true that a 'ca' is supposed to provide a sha-1 feature, which apparantely generally uses a 160 bit hashing algorithm encryption method to presumably protect an internal network ?

qns4. i was under the understanding that i should first install & configure a windows 2003 network or domain & maybe 1 domain user account & maybe a home user via a vpn & then i would install the internal 'ca' via windows components & for maybe credit card transactions or outlook web access, then i should purchase a 3rd party 'ca' & as we all know us humans make mistakes.  is this true ?

the reason for asking 'qns4' above was when i attempt to install the 'ca' on my windows 2003 it states:

"after we install the 'ca', the machine name & domain membership may not be changed due to the binding of the machine name to 'ca' info stored in the 'ad'.  changing the machine name or domain membership would invalidate certificates issued from the 'ca'.  please ensure the proper machine name & domain membership are configured before installing certificate services"

qns5.  when i attempt to install the 'ca' it lists the below but im not sure which 1 to select:

- enterprise root ca - ok for and enterprise network
- enterprise subdinate ca - not sure
- standalone root ca - ok for a network not part of a domain
- standalone subdinate ca - not sure

qns6. can i temporarily use a 'ca' to test 'vpn' is secure although 'vpn' still connect without or even a credit card transaction & then later add a 3rd party ?

note:  as far as im aware md5 is used on cisco switches & routers using routing protocols, but always wondered where 'sha-1 was used!!!
  • 9
  • 5
  • 3
7 Solutions
David Johnson, CD, MVPOwnerCommented:
1 Yes
2. Certificates work on a chain of trust.. Computers are machines and they look pretty much the same to each other, like trying to distinguish between two identical twins, one has a birth certificate issued by the government and another has a piece of paper they signed themselves.. Which would you trust? You'd accept the one with the gov't certificate but you'd be wary about the one with the self signed piece of paper. A company can have an enterprise CA and each branch office would have a subordinate CA, but if needed one can go up the chain of trust and as long as one trusts the root certificate of the enterprise CA then one would trust the subordinate CA's certificates. Our computers come with a list of predefined root certificates that we trust implicitly.  If we don't want the Post Office of Hong Kong as a trusted root authority then we can remove it. The problem being that anyone using a certificate issued by them will have to be accepted individually. Geography makes no difference..

6.  You don't need a CA you can use a self signed certificate but other computers will stop and say 'do you want to trust this computer' until you add the certificate to your certificates.

3. NO it is up to the computer to force the use of certificates to accept connections.

4. Depends upon how many computers you have an internal CA is good only for computers that are (a) members of the domain or (b) that accept your certificate. E-Commerce and other web users may not want to accept a certificate signed by your company but prefer one signed by a root certification authority and reject your internal certificates.  Anyone can say that they are the bank of america.. but a root certification authority will demand some proof that you are who you say you are.

5.  You need a root ca to begin either enterprise or standalone root ca.. enterprise is better as its scope is your entire enterprise CA's are only really good for domains. Whether it is domain.local or domain.home or whatever.

6. SHA1 has been superceded by more modern encryption protocols.
mikey250Author Commented:
hi ve3ofa, (thanks for giving me some answers)

6.  when would i not need a 'ca' & how would i get a self-signed certificate, unless this is in the wizard when installing for a 'ca' ?

3.  all i know is once a network or domain is setup, but how does presumably a potential foreign pc or not foreign, potentially try to connect to a server/pc with a 'ca root' installed or would that foreign user see a message on its screen saying 404 or no access or some no digital certificate or what, as this is the part i cannot see in my mind practically, because as a user on the internet i can open anything on any pc, but if i typed in a specific domain name of a public company or ip address in the 'address part', i presume i would be shown some form of message ?

4.  when do i add a 'ca', ie after domain configured & then continue with other company configurations or after all users are added & maybe external vpn users from home ?

4. when i follow the wizard to install the 'ca' i also tick: "use custom settings to generate the key pair & ca certificate" - is this the same key pair i would add when setting up a remote vpn for a user on a laptop logging onto network from home & where do i locate what the key pair is (presumably if it is the actual same thing) ?

4.  once ive configured my domain name or whatever & install the 'ca root either enterprise or standalone on server, but realise i need to change the domain name or something, what do i do about this message shown ?

"after we install the 'ca', the machine name & domain membership may not be changed due to the binding of the machine name to 'ca' info stored in the 'ad'.  changing the machine name or domain membership would invalidate certificates issued from the 'ca'.  please ensure the proper machine name & domain membership are configured before installing certificate services"
6.  the last i read somewhere was sha1/2048 bits generally provided upto 160 bit, but im thinking is the 2048 bit the same thing or am i getting confused.  as in 160bit is old & it moved upto 2048 bit for the most upto date presumably for windows 2003, but not sure what has come in since win 2008 & 2012!! can you point me to a 'url' that shows the others that have superceded windows 2003 ?
Mikey, why do you think that you need to run a certificate authority? In general, they are not needed. Going through your posts, I only saw one instance where a certificate would be needed, and that is an SSL certificate to protect sensitive web server traffic. You would usually use a third part certificate from a widely trusted CA to protect a public web server because a certificate from your own CA would give security warnings to web browsers.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

mikey250Author Commented:

after doing some reading and whatching a 'video' i just assumed after configuring a domain or a standalone that configuring a 'ca', created some kind of overall encryption within my lan thats why!

in generall not needed - why ?

- i assumed for the actual domain i would install a 'ca' for it
- i then assumed for web server traffic i would then have to contact a 3rd party for that ssl certificate as per this video i have
- i then assumed if i had credit card payments being excepted or something else then i would have to apply for another 3rd party certificate
Having certificates from a certificate authority does not create encryption for your LAN per se. If you want to use SSL with the public for a web server, then you need a certificate from a trusted third party - a certificate from your own CA won't be trusted and won't work.

I have no idea what you mean by handling credit card payments. Normally that would be protected by SSL with a web server, so credit card information isn't any different than protecting any other web traffic.
mikey250Author Commented:

q1. ive never really understood this certificate authority or if it is never used at all, but that dont make sense as it must be there for a reason!!  so after some more reading im understanding that if users are not communicating outside their network then installing a 'ca' would be ok ?

q2. but if a company does communicate via the outside world via email and web server then a 3rd party 'ca' should be purchased and the local 'ca' would then not need to be installed ?

David Johnson, CD, MVPOwnerCommented:
Having your own certificate authority is only feasible inside of your own company. As I mentioned before certificates work on a chain of trust.

Inside of your organization you can add the certificate authority into the trusted root provider store this way any certificate used by any object that uses that certificate authority when your system checks it looks at the certificate and it looks upward in the certificate chain and if it is trusted or issued by a trusted root provider it then ok's the certificate and doesn't show a warning.

Otherwise it will show a warning.. That this cerificate is not trusted, do you want to continue. This is after it checks that the date is within the range of the issued date and the expiry date, the sha1 hash works, and a few other checks.

In the real world it is impractical for each computer user to add certificates from each business they contact over the internet.  This would make our certificate store very large (it is already large enough because there are a lot of trusted certificate authorities throughout the world i.e. the Hong Kong post office) and how are we to be absolutely sure that we are in fact contacting the company we desire and is this company legitimate? So we rely on a trusted company to do the vetting for us.

1. you have to pay someone for each certificate therefor one wont be generating thousands of certificates as it would be economically unsound.
2. in order to get an ev certificate (green in title bar) you have to submit to the CA a bunch of supporting documents i.e. you have to convince them that your company exists and that the person requesting the certificate has the permission of the owners of the company to obtain a certificate. They may check that a phone book listing exists and by calling the phone number and contacting the owner of the company that yes abc@example.com has permission to request the certificate. This all costs more money. But we as customers rely that the certificate authority has performed their do diligence and yes the web server that we are connected to is who we think it is.

There are a bunch of certificate types each valid for a specific purpose. You wouldn't want to give joe in accounting a code signing certificate as joe doesn't write programs as part of his job. The head programmer can use this certificate to sign executables since your company only allows signed programs to be installed on company computers..  

The forced usage of certificates to verify identities is configurable in many areas a networks infrastructure. It is just another layer of security.
mikey250Author Commented:
hi ve3ofa,

i do appreciate your longwinded comments and yes i understand some of it but it still sparks confusion as i have no practical task to relate to:

- although yes i have whatched a video of how to install an internal 'ca' - understood

- yes ive whatched a video of how to request a 3rd party 'ca' - understood

from a new user point of view:

a standalone or domain network administrator running win 2003 & exchange 2003 with web server access & sql for example:

i would have thought the following:

- internal 'ca' - i would install
- exchange 2003 - nothing
- web server - i would also contact a 3rd party for ssl

so before i can fully understand your comments, from a practical point of view, the above is what im trying to grasp ie yes or no ?

i understand the anology but need to know as i have the following:

- win 2003 domain
- exchange server 2003
- isa 2006 server
- file/print/web server
- xp desktop users

then i can start to grasp your comments better!!!:)
A CA is needed when generating many computer or user certificates for internal only use. A CA is a certificate "factory". It sounds like you might need 1 certificate for your web server, and you have already stated that you would use a 3rd party certificate. You don't need certificates to have an Active directory domain, file server, desktop clients, print server, or Microsoft SQL Server. Exchange Server doesn't need a certificate either, unless you plan on running Outlook Web Access, in which case that just like a regular web server, you should be using a 3rd party certificate.

I am not familiar with ISA server, but if it did need a certificate, you would probably use a 3rd party certificate.

Put another way, you would install a CA only if you had a need for certificates, some of those certificates will support services that only AD domain members will be accessing, and you are not willing to pay for 3rd party certificates for internal-only services. I have not heard you describe any use case for internal only certificates, which is why I am telling you that you don't need it given the environment you have described.
David Johnson, CD, MVPOwnerCommented:
for the outside world you need a 3rd party certificate.  Inside your organization it is only an available option to enhance security and the expense of a 3rd party certificate would be cost prohibitive. Do you need an internal CA, it depends upon your organization and the regulations that you must follow.. If there isn't a business reason for implementing it then I wouldn't since it is something more to break and maintain and adds more complexity to the internal network.  Most organizations don't need it..
mikey250Author Commented:
hi kevinhsieh, ok so my setup does (not) require the internal (ca) to be installed!!!! - thats what i wanted to know as far as that goes to give me a grounding.

yes i plan on setting up 'exchange 2003/owa' - so a 3rd party 'ca' is needed - ok

q1.  although you also say the following im now trying to understand what geographically separated network topology would require the use of the internal 'ca' ie  say configured via 'routing protocol - rip v2 or even eigrp or ospf': ?

q2. also if i was to setup maybe a 'front-end & back-end' exchange for (owa) as suggested above ?

"a ca is needed when generating many computer or user certificates for internal only use"

- "i have not heard you describe any use case for internal only certificates, which is why i am telling you that you don't need it given the environment you have described."
mikey250Author Commented:
hi ve30fa,

q1. only a guess but im assuming the below comments maybe country to country type scenario so this is what i was also trying to grasp:

"do you need an internal 'ca', it depends upon your organization and the regulations that you must follow"

q2.  im not even entirely sure if having multiple 'dc' or 'multiple 'child dc' if 'ca' are also installed, but for the time being ignoring exchange 2003/owa or web server' for the time being ?
Certificates are not used in any routing protocols that I am aware of, and I have run RIP, OSPF, EIGRP, and BGP.
mikey250Author Commented:
hi kevin, apologies as just wanna grasp that last bit!

q1. ok i was just wondering what setup different to mine would require the install of an internal 'ca' for example 'site to site' connections, as just wondering ?
Site to site connections is NOT an example that would require certificates, and therefore does not require a certificate authority.

The most common need for a certificate authority that I have seen is if one wants to implement 802.1x port authentication on Ethernet switches or enterprise level WPA wireless authentication with Microsoft PEAP.
mikey250Author Commented:
hi kevin,

ah yes i wanted to setup: 802.1x port authentication and was not aware of this with 'ca' although that will have to be another question i ask on a new thread because i also wish to add a 'dot1x system-auth-control' and the rest on a specific port via 'radius' at a later date but via a standalone as not needed via a domain!!
mikey250Author Commented:
i appreciate the information to my questiong given!!!!!!!!!!!!!!!!!!! (but)!

im still not clear on this 'ca'
ive been told for my small network topology that i do not need it - ok that i can understand
ive been told that if i use the following then a 3rd party 'ca' would be required - ok that i can understand because this will offer the protection from the outside world as far as the 'ca' goes:

- web server
- exchange

- 802.1x  - specifically wireless (according to expert 'kevin') a 'ca' is needed - ok that i can understand as when i configured 'radius' sometime ago i did see 802.1x in the list but i did not select it personally as it was not needed at that time and not via my cisco switch either.

if i was in a company where the boss expected me to know the answer, of when not to install an 'internal ca' i still would not be able to give them the answer except what ive been advised above so far!

an internal 'ca' is obviously there to install although apparantely i dont need it, so when!!!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 9
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now