Enterprise or standalone internal Certificate authority


I am looking into setting up an internal CA on our domain.  Our domain is windows 2003 based, however i am planning on building the certificate authority server on windows 2008 r2.  I really want to keep this as simple as possible and the only reason we are setting this up is for 2 reasons.

1. To allow domain users to update their password when logging in via a fortigate firewall (SSL VPN) - LDAPS communication is needed between the fortigate and the chosen AD (LDAP) server.
2. To support 802.1x authentication using PEAP for internal WIFI users

I am not sure whether to go for a Standalone or Enterprise CA.  I am thinking more along the lines of an Enterprise CA because this will allow the certs to be distributed via active directory. However if i could use a standalone CA it would make it easier as i wont have to mess about with templates.  However I am open to advise to what is the better long term solution.  Also a note that I don't really want to use intermediates or subordinates either.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you are setting this up to ensure that it work smoothly with Active Directory then you are going to want to use an Enterprise CA. Enterprise CA will be a lot easier in regards to deployment of certs and this process is automated as well. Initial configuration for a Standalone CA will be easier however it will be more difficult to implement this for what you are doing.

Also see the link below for additional details for Standalone CA's in a AD environment.

Jakob DigranesSenior ConsultantCommented:
@Will is correct. You'd really wan't to og With Enterprise CA. the wee bit extra work needed for setting up Enterprise CA - is paid back many times when it comes to enrolling certificates.

You need to have the root certificate enrolled to all Clients. This is Automatic With enterprise CA, need GPO for standalone
And given the fact that you wan't 802.1X With EAP-TLS - you have to enroll for certificates for all computers, and possibly also users (depending on Your 802.1X setup) - which have to be initiated from the Client and manually create request and import certificate. If you have more than half a Client computer - it is easier to do this through Automatic Certificate Enrollment ---

And templates are easy. For 802.1X certficates you can use predefined computer and user template. Computer template for LDAPS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MickJacksonAuthor Commented:
HI Guys,

Thanks for that, i was doing some research and i think, as you guys have said, the enterprise CA is the best way to go.

I have inherited a weird domain layout.

forest root = .net ( i don't know what the last admin was thinking)
child = .company.net
child = corp..company.net
child = uk.corp..company.net

All our users sit in the corp and uk domains, so would the best place to create the Enterprise CA be in the corp..company.net domain, or do i need something in the uk.corp..company.net domain too.?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Jakob DigranesSenior ConsultantCommented:
Install enterprise CA in forest root (or Company.net) --- it the root domain only .net? no domain name??????

You Control enrollment of certificates using Security Groups on certificate templates.
a bit more on permissions here: https://support.microsoft.com/en-us/kb/281271
MickJacksonAuthor Commented:
HI jakob, yes the the root domain is just .net, causes us lots of dns issues when trying to connect to real .net sites, but that's another story.

So, if i install the Enterprise CA in the .net domain, that should be sufficient, will i need to install any other CAs in any of the child domains?
Jakob DigranesSenior ConsultantCommented:
best practice is a 2 tier setup With offline root and subca for issuing certs, and possibly one in each domain.
But given Your desire to keep this simple, an Enterprise CA in root domain is sufficient, but please read through Microsoft KB article Attached in reply to set correct permissios
MickJacksonAuthor Commented:
HI, OK i have created the enterprise CA in the root domain on a wind2k8 r2 server, i ran forestprep and domainprep on the relevant domain controllers although i am not sure this was strictly;y necessary, I used a sha1 2048 bit CA cert.

I can see Issued certificates, a CA exchange and then 2 for each DC ( domain controller auth & Directory email replication) the effective time listed is 15:18, however 10 mins later in event viewer is can see warnings

Event ID 80
Active Directory Certificate Services could not publish a Certificate for request 7 to the following...insufficient access rights to perform the operation, so some googling around it says to check that the Cert Publishers group has permission to read and write to the userCertificate attribute on the user object in AD that is specified in the event.

How do i check this?
Jakob DigranesSenior ConsultantCommented:
i mentioned this in a previous comment; here: https://support.microsoft.com/en-us/kb/281271
MickJacksonAuthor Commented:
HI, OK, so i am currently just trying to get scenario 2 working, i have run the 2 commands in the link provided ( thanks for that) on one of my domain controllers in the root domain .net.

Will the domain controllers request a cert again automatically or do i manually need to kick this process off?
Jakob DigranesSenior ConsultantCommented:
they should do it through at GPUPDATE /force i Guess ..... give it some time
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.