Solved

Certificate Services

Posted on 2014-01-17
5
244 Views
Last Modified: 2014-01-20
I will admin, certificate services is something I never fully understood in all the years of managing a windows environment and classes. I need some guidance. We have VMWare that uses VCenter. The VCenter needs 4 or 5 certificates installed. Rather than pay $1,000 for a public certificate authority, I think all I need is an internal Certificate server (none of these services are traversing the Internet, just in-house). I never setup a certificate server before. I just need a server to issue a certificate for my VMWare server. Do I install a CA?, standalone root? or do you have to do both? Also, when you install this do the users and computers automatically get incorporated into the server or do that have to be "activated". I don't want to have all these issues popping up right after I install the server. Thanks!
0
Comment
Question by:jsgrosskopf
  • 3
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
Comment Utility
If you have a windows Domain then its worth looking at.

The recommend setup is a two tier PKI.
A standalone root CA that is not on the domain and then a subordinate Enterprise CA that actually does the signing.

If you look at this technet article is details out all the steps for setting it up. Its what i go back to to check stuff

http://blogs.technet.com/b/xdot509/archive/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up.aspx

As for the User and computers being automatically incorporated the answer is no.
You need to setup up auto enrollment policies for gives users or computers certificates

Have a look through this to explain auto enrollment
http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment/

You would probably need to basic VM's so if that won't cost too much then go for it. If not have a look at Go Daddy or something cheap
0
 

Author Comment

by:jsgrosskopf
Comment Utility
Wow, thanks for the tip. It looks complicated, plus I'll need another server to setup outside my domain, which I don't have right now. It's starting to look like cost is going to be a wash, new server for stand alone vs. getting 4 certs from godaddy or somewhere else. Thanks again
0
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
do you have any virtual hosts - hyper-v or ESX as if you configure correctly you just build on the network, don't add to the domain and then make it offline
0
 

Author Comment

by:jsgrosskopf
Comment Utility
I do and will do that but Can do it with just an enterprise Root CA only. Do I have to have a standalone root CA?
0
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
You can just do one tier its not a problem. I do that in my test labs.

Also always good to state recommended practices and then caveat for what gets done usually.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now