Solved

created standalone and subordinate CA...now what?

Posted on 2014-11-14
2
276 Views
Last Modified: 2014-11-17
I created a standalone root ca and a enterprise subordinate ca utilizing the TechNet Article: (Test Lab Guide) Deploying an AD CS Two-Tier PKI Hierarchy among other articles and believe it or not, everything went fine. (as far as " I"  know! ) The capolicy.inf had "LoadDefaultTemplates=0" so that the Subordinate CA would not immediately start issuing Certificates. Okay! Now here is where I have questions. (and please do not laugh at me...ok you can, because I won't be able to see you. but it will still hurt my feelings)
1. am I correct in presuming that this subordinate server is just for internal stuff?
2. what templates should I load? (I have exchange server, LYNC Server, dhcp servers, dns servers, file servers etc.; I also have over 100 clients (users and pc's)
3. am I correct in presuming I will need a certificate from a trusted 3rd party such as "Digicert, Godaddy or VeriSign"?
4. What are trusted 3rd Party Certificates used for? External use. So anyone who connects to my domain from the outside world would get one of those?
5. if I do need 3rd party Certificates, what kind and how many? (I have 2 domains, "www.domain.job.state.us" and "www.domain.us")
6. would I need "Wildcard" or "SAN"

I know I sound totally illiterate about this but I cannot seem to find too much on what to do after one has created the servers.

also, I was perusing another article about Certificate Policy and Certificate Practice Statements and it seems like such a complicated process . are these necessary? or am I reading too much into all of this? (I told you not to laugh at me!!) man, it seems like one could do just your one job,  and one would be constantly busy in an organization just trying to get a PKI up and running...properly)

Let me say in advance, thank you to anyone who responds to my queries. I do understand that you all are very busy also and to take time to help a clueless tech..well, I really appreciate the help.

Thanks...Harold
0
Comment
Question by:harold mcmullen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40444216
To answer your questions:
1. am I correct in presuming that this subordinate server is just for internal stuff?
Yes, you are right, you should not use the certificates issued from this CA on any stuff that is published on internet, it will creating problems because your CA root cert certificate is not trust by systems on the internet who are accessing your servers

 2. what templates should I load? (I have exchange server, LYNC Server, dhcp servers, dns servers, file servers etc.; I also have over 100 clients (users and pc's)
It depends upon what you have, You should get 3rd party certificate fro your Lync \ Exchange servers
For other internal servers you can use this CA certificate, for your internal desktops \ laptops you can this CA certificates

 3. am I correct in presuming I will need a certificate from a trusted 3rd party such as "Digicert, Godaddy or VeriSign"?
For any thing that will published on internet you do require certificate from 3rd party
EX: Exchange, Lync , web servers etc

 4. What are trusted 3rd Party Certificates used for? External use. So anyone who connects to my domain from the outside world would get one of those?
Mst of the well known 3rd party trusted root certs are already installed on servers \ desktops with windows default installation, so you don't have to worry about that
U need to ensure that whatever stuff you made publically available (Web servers, Lync, Exchange owa etc) should have cert from public CA

5. if I do need 3rd party Certificates, what kind and how many? (I have 2 domains, "www.domain.job.state.us" and "www.domain.us")
I cannot find out exact count without much information, you can count how many applications you are publishing on internet, based on this info you need to get that much of public certs

 6. would I need "Wildcard" or "SAN"
Wild card certificate is very expensive and should be used when you multiple application servers published on internet with same domain name.
For ex: you might have 25 servers published on internet such as app1.contoso.com, app2.contoso.com and so on
In that case you can get wild card certificate *.contoso.com which will  cover all application host names and then install that cert on each server

Also wild card certificate will not work for parent-child domain
For ex: Contoso.com and Corp.Contoso.com are two domains, in that case *.Contoso.com will only work for applications running under Contoso.com
If you have any apps running under corp.contoso.com, you need another wildcard certificate (*.corp.contoso.com)

According to my understanding you don't need wild card cert and only SAN certificate will help
U need one SAN for Exchange
autodiscover.domain.com
domain.com
webmail.domain.com
SAN certificate can have multiple hostnames
for rest of the servers you can have single name certificate

The best option could be contact 3rd party CA and get certificates for servers published on internet
0
 
LVL 4

Author Closing Comment

by:harold mcmullen
ID: 40447300
I must say Mahesh, you covered each point thoroughly. The only comment is that I will follow your advice and thank you very much.
points well deserved.
thank you again for taking the time to answer my questions.

Sincerely,
 Harold
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question