Install CA Certificate Autority on new server
Our CA Is offline and apparently has been for quite some time. A little background, we have 5 domain controllers one is set as the PDC which is a 2008R2. We are in the process of upgrading all of them to new servers currently two are 2012R2 the other three will be upgraded over the next year.
Forgive my newness to this but what does a CA do and can I just go ahead and install the CA on one of the 2012R2 DC servers. What is involve in it or do I need to do? Converting it would be problem I no longer have a server with the name it was looking for. Do I need a CA?
Forgive my newness to this but what does a CA do and can I just go ahead and install the CA on one of the 2012R2 DC servers. What is involve in it or do I need to do? Converting it would be problem I no longer have a server with the name it was looking for. Do I need a CA?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You may have a look at my articles here:
http://www.experts-exchange.com/articles/10727/Quick-Steps-How-to-implement-your-own-Windows-PKI.html
and this on:
http://www.experts-exchange.com/articles/10728/Customizing-Windows-PKI-Some-Tipps-and-Tricks.html
You don't need your own CA but it can be an advantage as more and more services work only with certificates (LYNC / Exchange). Certificates are needed whenever content should be signed or encrypted (i.e. SSL for webserver) or the identity of a service should be provable. The defaults of the newer OS and applications are in the meanwhile set to encrypt traffic as possible.
Some services (like Exchange) create a self signed cert, what can be used, but in a real production environment it produces some headache and is also not so quite easy to handle. With your one CA you have a free and domain based source for certificates wherever they are needed and they are easy to handle, to maintain and are less support intensive than self signed certificates. With some single GPO settings, you can more or less automate the whole process.
For some purposes you need public certificates, whenever anonymous users accesses your services or you communicate with other services outside your domain. As foreign clients doesn't have your root certificate, a public cert is much easier to handle. But public certs costs money, so for internal purposes, you can use your own source for certificates.
http://www.experts-exchange.com/articles/10727/Quick-Steps-How-to-implement-your-own-Windows-PKI.html
and this on:
http://www.experts-exchange.com/articles/10728/Customizing-Windows-PKI-Some-Tipps-and-Tricks.html
You don't need your own CA but it can be an advantage as more and more services work only with certificates (LYNC / Exchange). Certificates are needed whenever content should be signed or encrypted (i.e. SSL for webserver) or the identity of a service should be provable. The defaults of the newer OS and applications are in the meanwhile set to encrypt traffic as possible.
Some services (like Exchange) create a self signed cert, what can be used, but in a real production environment it produces some headache and is also not so quite easy to handle. With your one CA you have a free and domain based source for certificates wherever they are needed and they are easy to handle, to maintain and are less support intensive than self signed certificates. With some single GPO settings, you can more or less automate the whole process.
For some purposes you need public certificates, whenever anonymous users accesses your services or you communicate with other services outside your domain. As foreign clients doesn't have your root certificate, a public cert is much easier to handle. But public certs costs money, so for internal purposes, you can use your own source for certificates.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial