Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Externally-Trusted AD-Integrated PKI

Posted on 2014-08-12
10
Medium Priority
?
369 Views
Last Modified: 2014-09-17
I have an existing enterprise PKI built on Windows Server 2012 R2.  My organization is now wanting to invest in something that is externally-trusted.  Is there any such things as having an externally-trusted enterprise PKI that is built on Windows?  I really like having the ability to fully integrate with Group Policy and an AD environment.
0
Comment
Question by:marrj
  • 5
  • 3
  • 2
10 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40257017
you can try and get a certificate authority to issue you a domain wide root certificate but expect to pay many thousands of dollars and a substantial vetting process.
0
 
LVL 1

Author Comment

by:marrj
ID: 40257028
Do you have any recommendations as far as root certificate vendors?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40257061
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40257116
You will have to call them directly about becoming a subordinate CA.. be prepared to spend a ton of money.. that is a metric ton of $50 bills.    Also be prepared to travel with your HSIM and ensure that your policies are up to snuff.  They will do an in-house audit at your expense.

If you don't know what an HSIM is or OIDS and policy statements are i.e. you probably don't have a  policy server in place. Time to hire a consultant i.e. komarconsulting.com ( I know Brian personally)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40258281
Be aware that the usual requirement is that you have a turnover in excess of $1M *and* liability insurance of that amount before you will be considered for a subordinate (issuing) CA. It will also cost you somewhere north of $4K/year for the certificate (available usually in multiples of 3 or 5 years, depending on root ca issuing) and involve a substantial vetting process.

Really, this isn't an option for most companies, nor should it be, unless you want to get into the domain of selling certificates - for AD, you can simply push your own Root to hosts, and/or make it available on a website for download and install.
0
 
LVL 1

Author Comment

by:marrj
ID: 40259444
OK ok, I get the point.  It looks like that approach might be a little out of our financial reach.  Have any of you found solutions that you would recommend as alternatives to having a fully-integrated approach via becoming a subordinate?  My main business need is the ability to offer widely available methods for digitally signing documents of various formats in an enterprise of about 700 employees.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40259480
then use your existing CA structure.  Export the root certificate of the CA server and then via group policy add it to the trusted publishers store and publish the document signing certs for each user.
0
 
LVL 1

Author Comment

by:marrj
ID: 40259540
But that kind of solution won't be trusted externally, correct?
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 40259663
that is correct, it will not be trusted externally.  You can purchase document signing certs for a modest price
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1000 total points
ID: 40260183
It won't be trusted externally unless the trusting parties import your CA cert - which is a trival task.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question