certificate authority queries - windows 2003
Posted on 2013-01-27
hi i am configuring a windows 2003 domain & so far i have:
- master ad/dns/dhcp server
- file & printer server
- xp desktops
- via a cisco switch
ive been doing some reading about 'ca', but still am not sure about the following questions of mine and was hoping someone has the knowledge to give me a 'yes or no' answer & maybe some extra advice for each!!
qns1. is it ok to go ahead & install a 'ca' for a internal local domain ?
qns2. should i use a 3rd party 'ca' if connecting 1 domain to another or multiple if geographically separated ?
qns3. is it true that a 'ca' is supposed to provide a sha-1 feature, which apparantely generally uses a 160 bit hashing algorithm encryption method to presumably protect an internal network ?
qns4. i was under the understanding that i should first install & configure a windows 2003 network or domain & maybe 1 domain user account & maybe a home user via a vpn & then i would install the internal 'ca' via windows components & for maybe credit card transactions or outlook web access, then i should purchase a 3rd party 'ca' & as we all know us humans make mistakes. is this true ?
the reason for asking 'qns4' above was when i attempt to install the 'ca' on my windows 2003 it states:
"after we install the 'ca', the machine name & domain membership may not be changed due to the binding of the machine name to 'ca' info stored in the 'ad'. changing the machine name or domain membership would invalidate certificates issued from the 'ca'. please ensure the proper machine name & domain membership are configured before installing certificate services"
qns5. when i attempt to install the 'ca' it lists the below but im not sure which 1 to select:
- enterprise root ca - ok for and enterprise network
- enterprise subdinate ca - not sure
- standalone root ca - ok for a network not part of a domain
- standalone subdinate ca - not sure
qns6. can i temporarily use a 'ca' to test 'vpn' is secure although 'vpn' still connect without or even a credit card transaction & then later add a 3rd party ?
note: as far as im aware md5 is used on cisco switches & routers using routing protocols, but always wondered where 'sha-1 was used!!!