?
Solved

created standalone and subordinate CA...now what?

Posted on 2014-11-14
2
Medium Priority
?
288 Views
Last Modified: 2014-11-17
I created a standalone root ca and a enterprise subordinate ca utilizing the TechNet Article: (Test Lab Guide) Deploying an AD CS Two-Tier PKI Hierarchy among other articles and believe it or not, everything went fine. (as far as " I"  know! ) The capolicy.inf had "LoadDefaultTemplates=0" so that the Subordinate CA would not immediately start issuing Certificates. Okay! Now here is where I have questions. (and please do not laugh at me...ok you can, because I won't be able to see you. but it will still hurt my feelings)
1. am I correct in presuming that this subordinate server is just for internal stuff?
2. what templates should I load? (I have exchange server, LYNC Server, dhcp servers, dns servers, file servers etc.; I also have over 100 clients (users and pc's)
3. am I correct in presuming I will need a certificate from a trusted 3rd party such as "Digicert, Godaddy or VeriSign"?
4. What are trusted 3rd Party Certificates used for? External use. So anyone who connects to my domain from the outside world would get one of those?
5. if I do need 3rd party Certificates, what kind and how many? (I have 2 domains, "www.domain.job.state.us" and "www.domain.us")
6. would I need "Wildcard" or "SAN"

I know I sound totally illiterate about this but I cannot seem to find too much on what to do after one has created the servers.

also, I was perusing another article about Certificate Policy and Certificate Practice Statements and it seems like such a complicated process . are these necessary? or am I reading too much into all of this? (I told you not to laugh at me!!) man, it seems like one could do just your one job,  and one would be constantly busy in an organization just trying to get a PKI up and running...properly)

Let me say in advance, thank you to anyone who responds to my queries. I do understand that you all are very busy also and to take time to help a clueless tech..well, I really appreciate the help.

Thanks...Harold
0
Comment
Question by:harold mcmullen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40444216
To answer your questions:
1. am I correct in presuming that this subordinate server is just for internal stuff?
Yes, you are right, you should not use the certificates issued from this CA on any stuff that is published on internet, it will creating problems because your CA root cert certificate is not trust by systems on the internet who are accessing your servers

 2. what templates should I load? (I have exchange server, LYNC Server, dhcp servers, dns servers, file servers etc.; I also have over 100 clients (users and pc's)
It depends upon what you have, You should get 3rd party certificate fro your Lync \ Exchange servers
For other internal servers you can use this CA certificate, for your internal desktops \ laptops you can this CA certificates

 3. am I correct in presuming I will need a certificate from a trusted 3rd party such as "Digicert, Godaddy or VeriSign"?
For any thing that will published on internet you do require certificate from 3rd party
EX: Exchange, Lync , web servers etc

 4. What are trusted 3rd Party Certificates used for? External use. So anyone who connects to my domain from the outside world would get one of those?
Mst of the well known 3rd party trusted root certs are already installed on servers \ desktops with windows default installation, so you don't have to worry about that
U need to ensure that whatever stuff you made publically available (Web servers, Lync, Exchange owa etc) should have cert from public CA

5. if I do need 3rd party Certificates, what kind and how many? (I have 2 domains, "www.domain.job.state.us" and "www.domain.us")
I cannot find out exact count without much information, you can count how many applications you are publishing on internet, based on this info you need to get that much of public certs

 6. would I need "Wildcard" or "SAN"
Wild card certificate is very expensive and should be used when you multiple application servers published on internet with same domain name.
For ex: you might have 25 servers published on internet such as app1.contoso.com, app2.contoso.com and so on
In that case you can get wild card certificate *.contoso.com which will  cover all application host names and then install that cert on each server

Also wild card certificate will not work for parent-child domain
For ex: Contoso.com and Corp.Contoso.com are two domains, in that case *.Contoso.com will only work for applications running under Contoso.com
If you have any apps running under corp.contoso.com, you need another wildcard certificate (*.corp.contoso.com)

According to my understanding you don't need wild card cert and only SAN certificate will help
U need one SAN for Exchange
autodiscover.domain.com
domain.com
webmail.domain.com
SAN certificate can have multiple hostnames
for rest of the servers you can have single name certificate

The best option could be contact 3rd party CA and get certificates for servers published on internet
0
 
LVL 4

Author Closing Comment

by:harold mcmullen
ID: 40447300
I must say Mahesh, you covered each point thoroughly. The only comment is that I will follow your advice and thank you very much.
points well deserved.
thank you again for taking the time to answer my questions.

Sincerely,
 Harold
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question