Externally-Trusted AD-Integrated PKI

I have an existing enterprise PKI built on Windows Server 2012 R2.  My organization is now wanting to invest in something that is externally-trusted.  Is there any such things as having an externally-trusted enterprise PKI that is built on Windows?  I really like having the ability to fully integrate with Group Policy and an AD environment.
LVL 1
marrjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you can try and get a certificate authority to issue you a domain wide root certificate but expect to pay many thousands of dollars and a substantial vetting process.
0
marrjAuthor Commented:
Do you have any recommendations as far as root certificate vendors?
0
David Johnson, CD, MVPOwnerCommented:
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

David Johnson, CD, MVPOwnerCommented:
You will have to call them directly about becoming a subordinate CA.. be prepared to spend a ton of money.. that is a metric ton of $50 bills.    Also be prepared to travel with your HSIM and ensure that your policies are up to snuff.  They will do an in-house audit at your expense.

If you don't know what an HSIM is or OIDS and policy statements are i.e. you probably don't have a  policy server in place. Time to hire a consultant i.e. komarconsulting.com ( I know Brian personally)
0
Dave HoweSoftware and Hardware EngineerCommented:
Be aware that the usual requirement is that you have a turnover in excess of $1M *and* liability insurance of that amount before you will be considered for a subordinate (issuing) CA. It will also cost you somewhere north of $4K/year for the certificate (available usually in multiples of 3 or 5 years, depending on root ca issuing) and involve a substantial vetting process.

Really, this isn't an option for most companies, nor should it be, unless you want to get into the domain of selling certificates - for AD, you can simply push your own Root to hosts, and/or make it available on a website for download and install.
0
marrjAuthor Commented:
OK ok, I get the point.  It looks like that approach might be a little out of our financial reach.  Have any of you found solutions that you would recommend as alternatives to having a fully-integrated approach via becoming a subordinate?  My main business need is the ability to offer widely available methods for digitally signing documents of various formats in an enterprise of about 700 employees.
0
David Johnson, CD, MVPOwnerCommented:
then use your existing CA structure.  Export the root certificate of the CA server and then via group policy add it to the trusted publishers store and publish the document signing certs for each user.
0
marrjAuthor Commented:
But that kind of solution won't be trusted externally, correct?
0
David Johnson, CD, MVPOwnerCommented:
that is correct, it will not be trusted externally.  You can purchase document signing certs for a modest price
0
Dave HoweSoftware and Hardware EngineerCommented:
It won't be trusted externally unless the trusting parties import your CA cert - which is a trival task.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.