Solved

Certificate Services

Posted on 2014-01-17
5
268 Views
Last Modified: 2014-01-20
I will admin, certificate services is something I never fully understood in all the years of managing a windows environment and classes. I need some guidance. We have VMWare that uses VCenter. The VCenter needs 4 or 5 certificates installed. Rather than pay $1,000 for a public certificate authority, I think all I need is an internal Certificate server (none of these services are traversing the Internet, just in-house). I never setup a certificate server before. I just need a server to issue a certificate for my VMWare server. Do I install a CA?, standalone root? or do you have to do both? Also, when you install this do the users and computers automatically get incorporated into the server or do that have to be "activated". I don't want to have all these issues popping up right after I install the server. Thanks!
0
Comment
Question by:jsgrosskopf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
ID: 39792712
If you have a windows Domain then its worth looking at.

The recommend setup is a two tier PKI.
A standalone root CA that is not on the domain and then a subordinate Enterprise CA that actually does the signing.

If you look at this technet article is details out all the steps for setting it up. Its what i go back to to check stuff

http://blogs.technet.com/b/xdot509/archive/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up.aspx

As for the User and computers being automatically incorporated the answer is no.
You need to setup up auto enrollment policies for gives users or computers certificates

Have a look through this to explain auto enrollment
http://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment/

You would probably need to basic VM's so if that won't cost too much then go for it. If not have a look at Go Daddy or something cheap
0
 

Author Comment

by:jsgrosskopf
ID: 39794311
Wow, thanks for the tip. It looks complicated, plus I'll need another server to setup outside my domain, which I don't have right now. It's starting to look like cost is going to be a wash, new server for stand alone vs. getting 4 certs from godaddy or somewhere else. Thanks again
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39794383
do you have any virtual hosts - hyper-v or ESX as if you configure correctly you just build on the network, don't add to the domain and then make it offline
0
 

Author Comment

by:jsgrosskopf
ID: 39794481
I do and will do that but Can do it with just an enterprise Root CA only. Do I have to have a standalone root CA?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39794540
You can just do one tier its not a problem. I do that in my test labs.

Also always good to state recommended practices and then caveat for what gets done usually.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my previous 24 VMware Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most featured Intermediate VMware Topics. My next series of articles concentrated on topics for the VMware Novice;   If you would…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question