Benefit of Certificate authority for creating certs to be used in-house vs powershell self-signed?

garryshape
garryshape used Ask the Experts™
on
Does a Windows Certificate Authority server in an AD environment allow you to add certificates to the CA so they automatically go out to the computers?
Does it give you an alternative feature/means to, say, generating a cert with "New-SelfSignedCertificate" on your workstation and then deploying it via GPO?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016
Commented:
yes you push out the root certificate via group policy therefore all certificates in the chain are trusted.

Does it give you an alternative feature/means to, say, generating a cert with "New-SelfSignedCertificate" on your workstation and then deploying it via GPO? The aim is to get away from self signed certificates which are inherently not trusted.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Does a Windows Certificate Authority server in an AD environment allow you to add certificates to the CA so they automatically go out to the computers?
In addition to the root being deployed via GPO, devices, users etc. can get certificates automatically. Remember to build as Enterprise CA.
Another example is that if any user enables EFS on a folder, the user automatically gets an EFS from CA and the folder is encrypted with it and the DRA certificate. This enables admin to recover data.

Does it give you an alternative feature/means to, say, generating a cert with "New-SelfSignedCertificate" on your workstation and then deploying it via GPO?
You can submit CRT to CA with certutill, Powershell, certificate MMC, etc.

Author

Commented:
Thanks that really helps.
So currently I just have a Stand Alone Ca someone else stood up. Should I "upgrade" it to Enterprise, or spin up a new Enterprise under it?
I can't still if the Stand alone CA is healthy because every time I try and access it via web, nothing loads. Nothing in IIS resembling a certsrv directory.  
Further, when I open up console I don't see a Certificate Templates folder nor anyway to create a new Cert from the console.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
So currently I just have a Stand Alone Ca someone else stood up. Should I "upgrade" it to Enterprise, or spin up a new Enterprise under it?
I would build a new Enterprise CA.

Author

Commented:
On I’ll try. Just not sure if that will hose current t environment or if I can upgrade existing Stand Alone or migrate

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial