marrj
asked on
Externally-Trusted AD-Integrated PKI
I have an existing enterprise PKI built on Windows Server 2012 R2. My organization is now wanting to invest in something that is externally-trusted. Is there any such things as having an externally-trusted enterprise PKI that is built on Windows? I really like having the ability to fully integrate with Group Policy and an AD environment.
David Johnson, CD
you can try and get a certificate authority to issue you a domain wide root certificate but expect to pay many thousands of dollars and a substantial vetting process.
ASKER
Do you have any recommendations as far as root certificate vendors?
You will have to call them directly about becoming a subordinate CA.. be prepared to spend a ton of money.. that is a metric ton of $50 bills. Also be prepared to travel with your HSIM and ensure that your policies are up to snuff. They will do an in-house audit at your expense.
If you don't know what an HSIM is or OIDS and policy statements are i.e. you probably don't have a policy server in place. Time to hire a consultant i.e. komarconsulting.com ( I know Brian personally)
If you don't know what an HSIM is or OIDS and policy statements are i.e. you probably don't have a policy server in place. Time to hire a consultant i.e. komarconsulting.com ( I know Brian personally)
Be aware that the usual requirement is that you have a turnover in excess of $1M *and* liability insurance of that amount before you will be considered for a subordinate (issuing) CA. It will also cost you somewhere north of $4K/year for the certificate (available usually in multiples of 3 or 5 years, depending on root ca issuing) and involve a substantial vetting process.
Really, this isn't an option for most companies, nor should it be, unless you want to get into the domain of selling certificates - for AD, you can simply push your own Root to hosts, and/or make it available on a website for download and install.
Really, this isn't an option for most companies, nor should it be, unless you want to get into the domain of selling certificates - for AD, you can simply push your own Root to hosts, and/or make it available on a website for download and install.
ASKER
OK ok, I get the point. It looks like that approach might be a little out of our financial reach. Have any of you found solutions that you would recommend as alternatives to having a fully-integrated approach via becoming a subordinate? My main business need is the ability to offer widely available methods for digitally signing documents of various formats in an enterprise of about 700 employees.
then use your existing CA structure. Export the root certificate of the CA server and then via group policy add it to the trusted publishers store and publish the document signing certs for each user.
ASKER
But that kind of solution won't be trusted externally, correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.