Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
4
Replies

Certificates question

ciscors
Level 1
Level 1

‎04-14-2007 03:58 PM - edited ‎07-03-2021 01:55 PM

Need solution for Wireless LAN security using PEAP. I'd like to hear from some experts on this.

1) If I set up a Microsoft certificate authority in my Windows 2003 domain, would the workstations automatically trust certificates issued by this CA or would I need to download the root certificate into each workstation? If it's the latter, I'm guessing an automatic deployment via AD is possible?

2) Is setting up a certificate authority a more secure option than simply self signing a certificate using a tool included in IIS resource tools called SelfSSL. I mean the private kay wouldn't be distributed ever so why should it be insecure compared to setting up an internal CA?

Link to SelfSSL - http://support.microsoft.com/kb/840671#11

3) If I go with a public CA like Verisign, does that mean I don't need to set up any CA server internally at all?

Thank you all

Labels:
0 Helpful
4 Replies 4

diro
Level 1
Level 1

‎04-15-2007 03:23 AM

1. Need to distribute using group policies or manually

http://www.experience247.com/mod/resource/view.php?id=79

2. Can be used but is not advisable

3. Then you don't need to setup a ca but keep in mind that this is not so secure. Your clients will trust any certificate signed by the public ca.

0 Helpful

ciscors
Level 1
Level 1
In response to diro

‎04-15-2007 09:29 AM

So you suggest setting up an internal certificate authority. Right?

Do you have any experience and documents at that same URL which goes into setting up a CA infrastructure? My client has a few offices globally and seems keen to set up a CA server in each office. I think that's a good idea so that if a WAN link were to go down, a local CA server would be able to authenticate users

I'm trying to find out what kind of server roles I need to install with Microsoft CA. I know there is an Enterprise root CA, enterprise sub-ordinate CA, stand-alone root & sub-ordinate CA and need to study that to implement this.

Thx

0 Helpful

ciscors
Level 1
Level 1
In response to ciscors

‎04-15-2007 07:12 PM

I've been doing research all day long about two-tier PKI infrastructure models, etc. However, since I'll only be issuing certificates to my ACS servers, do I really need more than a single certificate server?

It's a global organization with 3 offices and an ACS server at each office. I'm guessing clients only need to contact the CA server at renewal time and not otherwise. Hence, can I simply make do with a single root CA and a sub-ordinate backup CA?

0 Helpful

diro
Level 1
Level 1
In response to ciscors

‎04-15-2007 09:53 PM

If your using peap, only the acs servers need a signed certificate. The users need a ca certificate so your correct setting up multiple ca's is not usefull document on configuring an ms certificate server:

http://www.experience247.com/mod/resource/view.php?id=15

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card