04-14-2007 03:58 PM - edited 07-03-2021 01:55 PM
Need solution for Wireless LAN security using PEAP. I'd like to hear from some experts on this.
1) If I set up a Microsoft certificate authority in my Windows 2003 domain, would the workstations automatically trust certificates issued by this CA or would I need to download the root certificate into each workstation? If it's the latter, I'm guessing an automatic deployment via AD is possible?
2) Is setting up a certificate authority a more secure option than simply self signing a certificate using a tool included in IIS resource tools called SelfSSL. I mean the private kay wouldn't be distributed ever so why should it be insecure compared to setting up an internal CA?
Link to SelfSSL - http://support.microsoft.com/kb/840671#11
3) If I go with a public CA like Verisign, does that mean I don't need to set up any CA server internally at all?
Thank you all
04-15-2007 03:23 AM
1. Need to distribute using group policies or manually
http://www.experience247.com/mod/resource/view.php?id=79
2. Can be used but is not advisable
3. Then you don't need to setup a ca but keep in mind that this is not so secure. Your clients will trust any certificate signed by the public ca.
04-15-2007 09:29 AM
So you suggest setting up an internal certificate authority. Right?
Do you have any experience and documents at that same URL which goes into setting up a CA infrastructure? My client has a few offices globally and seems keen to set up a CA server in each office. I think that's a good idea so that if a WAN link were to go down, a local CA server would be able to authenticate users
I'm trying to find out what kind of server roles I need to install with Microsoft CA. I know there is an Enterprise root CA, enterprise sub-ordinate CA, stand-alone root & sub-ordinate CA and need to study that to implement this.
Thx
04-15-2007 07:12 PM
I've been doing research all day long about two-tier PKI infrastructure models, etc. However, since I'll only be issuing certificates to my ACS servers, do I really need more than a single certificate server?
It's a global organization with 3 offices and an ACS server at each office. I'm guessing clients only need to contact the CA server at renewal time and not otherwise. Hence, can I simply make do with a single root CA and a sub-ordinate backup CA?
04-15-2007 09:53 PM
If your using peap, only the acs servers need a signed certificate. The users need a ca certificate so your correct setting up multiple ca's is not usefull document on configuring an ms certificate server:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide