Solved

created standalone and subordinate CA...now what?

Posted on 2014-11-14
2
259 Views
Last Modified: 2014-11-17
I created a standalone root ca and a enterprise subordinate ca utilizing the TechNet Article: (Test Lab Guide) Deploying an AD CS Two-Tier PKI Hierarchy among other articles and believe it or not, everything went fine. (as far as " I"  know! ) The capolicy.inf had "LoadDefaultTemplates=0" so that the Subordinate CA would not immediately start issuing Certificates. Okay! Now here is where I have questions. (and please do not laugh at me...ok you can, because I won't be able to see you. but it will still hurt my feelings)
1. am I correct in presuming that this subordinate server is just for internal stuff?
2. what templates should I load? (I have exchange server, LYNC Server, dhcp servers, dns servers, file servers etc.; I also have over 100 clients (users and pc's)
3. am I correct in presuming I will need a certificate from a trusted 3rd party such as "Digicert, Godaddy or VeriSign"?
4. What are trusted 3rd Party Certificates used for? External use. So anyone who connects to my domain from the outside world would get one of those?
5. if I do need 3rd party Certificates, what kind and how many? (I have 2 domains, "www.domain.job.state.us" and "www.domain.us")
6. would I need "Wildcard" or "SAN"

I know I sound totally illiterate about this but I cannot seem to find too much on what to do after one has created the servers.

also, I was perusing another article about Certificate Policy and Certificate Practice Statements and it seems like such a complicated process . are these necessary? or am I reading too much into all of this? (I told you not to laugh at me!!) man, it seems like one could do just your one job,  and one would be constantly busy in an organization just trying to get a PKI up and running...properly)

Let me say in advance, thank you to anyone who responds to my queries. I do understand that you all are very busy also and to take time to help a clueless tech..well, I really appreciate the help.

Thanks...Harold
0
Comment
Question by:Harold_acld
2 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40444216
To answer your questions:
1. am I correct in presuming that this subordinate server is just for internal stuff?
Yes, you are right, you should not use the certificates issued from this CA on any stuff that is published on internet, it will creating problems because your CA root cert certificate is not trust by systems on the internet who are accessing your servers

 2. what templates should I load? (I have exchange server, LYNC Server, dhcp servers, dns servers, file servers etc.; I also have over 100 clients (users and pc's)
It depends upon what you have, You should get 3rd party certificate fro your Lync \ Exchange servers
For other internal servers you can use this CA certificate, for your internal desktops \ laptops you can this CA certificates

 3. am I correct in presuming I will need a certificate from a trusted 3rd party such as "Digicert, Godaddy or VeriSign"?
For any thing that will published on internet you do require certificate from 3rd party
EX: Exchange, Lync , web servers etc

 4. What are trusted 3rd Party Certificates used for? External use. So anyone who connects to my domain from the outside world would get one of those?
Mst of the well known 3rd party trusted root certs are already installed on servers \ desktops with windows default installation, so you don't have to worry about that
U need to ensure that whatever stuff you made publically available (Web servers, Lync, Exchange owa etc) should have cert from public CA

5. if I do need 3rd party Certificates, what kind and how many? (I have 2 domains, "www.domain.job.state.us" and "www.domain.us")
I cannot find out exact count without much information, you can count how many applications you are publishing on internet, based on this info you need to get that much of public certs

 6. would I need "Wildcard" or "SAN"
Wild card certificate is very expensive and should be used when you multiple application servers published on internet with same domain name.
For ex: you might have 25 servers published on internet such as app1.contoso.com, app2.contoso.com and so on
In that case you can get wild card certificate *.contoso.com which will  cover all application host names and then install that cert on each server

Also wild card certificate will not work for parent-child domain
For ex: Contoso.com and Corp.Contoso.com are two domains, in that case *.Contoso.com will only work for applications running under Contoso.com
If you have any apps running under corp.contoso.com, you need another wildcard certificate (*.corp.contoso.com)

According to my understanding you don't need wild card cert and only SAN certificate will help
U need one SAN for Exchange
autodiscover.domain.com
domain.com
webmail.domain.com
SAN certificate can have multiple hostnames
for rest of the servers you can have single name certificate

The best option could be contact 3rd party CA and get certificates for servers published on internet
0
 
LVL 4

Author Closing Comment

by:Harold_acld
ID: 40447300
I must say Mahesh, you covered each point thoroughly. The only comment is that I will follow your advice and thank you very much.
points well deserved.
thank you again for taking the time to answer my questions.

Sincerely,
 Harold
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now