Benefit of Certificate authority for creating certs to be used in-house vs powershell self-signed?

Does a Windows Certificate Authority server in an AD environment allow you to add certificates to the CA so they automatically go out to the computers?
Does it give you an alternative feature/means to, say, generating a cert with "New-SelfSignedCertificate" on your workstation and then deploying it via GPO?
garryshapeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
yes you push out the root certificate via group policy therefore all certificates in the chain are trusted.

Does it give you an alternative feature/means to, say, generating a cert with "New-SelfSignedCertificate" on your workstation and then deploying it via GPO? The aim is to get away from self signed certificates which are inherently not trusted.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical Specialist IVCommented:
Does a Windows Certificate Authority server in an AD environment allow you to add certificates to the CA so they automatically go out to the computers?
In addition to the root being deployed via GPO, devices, users etc. can get certificates automatically. Remember to build as Enterprise CA.
Another example is that if any user enables EFS on a folder, the user automatically gets an EFS from CA and the folder is encrypted with it and the DRA certificate. This enables admin to recover data.

Does it give you an alternative feature/means to, say, generating a cert with "New-SelfSignedCertificate" on your workstation and then deploying it via GPO?
You can submit CRT to CA with certutill, Powershell, certificate MMC, etc.
0
garryshapeAuthor Commented:
Thanks that really helps.
So currently I just have a Stand Alone Ca someone else stood up. Should I "upgrade" it to Enterprise, or spin up a new Enterprise under it?
I can't still if the Stand alone CA is healthy because every time I try and access it via web, nothing loads. Nothing in IIS resembling a certsrv directory.  
Further, when I open up console I don't see a Certificate Templates folder nor anyway to create a new Cert from the console.
0
Shaun VermaakTechnical Specialist IVCommented:
So currently I just have a Stand Alone Ca someone else stood up. Should I "upgrade" it to Enterprise, or spin up a new Enterprise under it?
I would build a new Enterprise CA.
0
garryshapeAuthor Commented:
On I’ll try. Just not sure if that will hose current t environment or if I can upgrade existing Stand Alone or migrate
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public Key Infrastructure (PKI)

From novice to tech pro — start learning today.