Certificates question

Unanswered Question
Apr 14th, 2007

Need solution for Wireless LAN security using PEAP. I'd like to hear from some experts on this.

1) If I set up a Microsoft certificate authority in my Windows 2003 domain, would the workstations automatically trust certificates issued by this CA or would I need to download the root certificate into each workstation? If it's the latter, I'm guessing an automatic deployment via AD is possible?

2) Is setting up a certificate authority a more secure option than simply self signing a certificate using a tool included in IIS resource tools called SelfSSL. I mean the private kay wouldn't be distributed ever so why should it be insecure compared to setting up an internal CA?

Link to SelfSSL - http://support.microsoft.com/kb/840671#11

3) If I go with a public CA like Verisign, does that mean I don't need to set up any CA server internally at all?

Thank you all

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ciscors Sun, 04/15/2007 - 09:29

So you suggest setting up an internal certificate authority. Right?

Do you have any experience and documents at that same URL which goes into setting up a CA infrastructure? My client has a few offices globally and seems keen to set up a CA server in each office. I think that's a good idea so that if a WAN link were to go down, a local CA server would be able to authenticate users

I'm trying to find out what kind of server roles I need to install with Microsoft CA. I know there is an Enterprise root CA, enterprise sub-ordinate CA, stand-alone root & sub-ordinate CA and need to study that to implement this.


ciscors Sun, 04/15/2007 - 19:12

I've been doing research all day long about two-tier PKI infrastructure models, etc. However, since I'll only be issuing certificates to my ACS servers, do I really need more than a single certificate server?

It's a global organization with 3 offices and an ACS server at each office. I'm guessing clients only need to contact the CA server at renewal time and not otherwise. Hence, can I simply make do with a single root CA and a sub-ordinate backup CA?


This Discussion



Trending Topics - Security & Network