Solved

Certificate Services

Posted on 2014-01-17
5
257 Views
Last Modified: 2014-01-20
I will admin, certificate services is something I never fully understood in all the years of managing a windows environment and classes. I need some guidance. We have VMWare that uses VCenter. The VCenter needs 4 or 5 certificates installed. Rather than pay $1,000 for a public certificate authority, I think all I need is an internal Certificate server (none of these services are traversing the Internet, just in-house). I never setup a certificate server before. I just need a server to issue a certificate for my VMWare server. Do I install a CA?, standalone root? or do you have to do both? Also, when you install this do the users and computers automatically get incorporated into the server or do that have to be "activated". I don't want to have all these issues popping up right after I install the server. Thanks!
0
Comment
Question by:jsgrosskopf
  • 3
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
ID: 39792712
If you have a windows Domain then its worth looking at.

The recommend setup is a two tier PKI.
A standalone root CA that is not on the domain and then a subordinate Enterprise CA that actually does the signing.

If you look at this technet article is details out all the steps for setting it up. Its what i go back to to check stuff

http://blogs.technet.com/b/xdot509/archive/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up.aspx

As for the User and computers being automatically incorporated the answer is no.
You need to setup up auto enrollment policies for gives users or computers certificates

Have a look through this to explain auto enrollment
http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment/

You would probably need to basic VM's so if that won't cost too much then go for it. If not have a look at Go Daddy or something cheap
0
 

Author Comment

by:jsgrosskopf
ID: 39794311
Wow, thanks for the tip. It looks complicated, plus I'll need another server to setup outside my domain, which I don't have right now. It's starting to look like cost is going to be a wash, new server for stand alone vs. getting 4 certs from godaddy or somewhere else. Thanks again
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39794383
do you have any virtual hosts - hyper-v or ESX as if you configure correctly you just build on the network, don't add to the domain and then make it offline
0
 

Author Comment

by:jsgrosskopf
ID: 39794481
I do and will do that but Can do it with just an enterprise Root CA only. Do I have to have a standalone root CA?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39794540
You can just do one tier its not a problem. I do that in my test labs.

Also always good to state recommended practices and then caveat for what gets done usually.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question