Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Certificates question

Need solution for Wireless LAN security using PEAP. I'd like to hear from some experts on this.

1) If I set up a Microsoft certificate authority in my Windows 2003 domain, would the workstations automatically trust certificates issued by this CA or would I need to download the root certificate into each workstation? If it's the latter, I'm guessing an automatic deployment via AD is possible?

2) Is setting up a certificate authority a more secure option than simply self signing a certificate using a tool included in IIS resource tools called SelfSSL. I mean the private kay wouldn't be distributed ever so why should it be insecure compared to setting up an internal CA?

Link to SelfSSL -

3) If I go with a public CA like Verisign, does that mean I don't need to set up any CA server internally at all?

Thank you all


Re: Certificates question

1. Need to distribute using group policies or manually

2. Can be used but is not advisable

3. Then you don't need to setup a ca but keep in mind that this is not so secure. Your clients will trust any certificate signed by the public ca.

New Member

Re: Certificates question

So you suggest setting up an internal certificate authority. Right?

Do you have any experience and documents at that same URL which goes into setting up a CA infrastructure? My client has a few offices globally and seems keen to set up a CA server in each office. I think that's a good idea so that if a WAN link were to go down, a local CA server would be able to authenticate users

I'm trying to find out what kind of server roles I need to install with Microsoft CA. I know there is an Enterprise root CA, enterprise sub-ordinate CA, stand-alone root & sub-ordinate CA and need to study that to implement this.


New Member

Re: Certificates question

I've been doing research all day long about two-tier PKI infrastructure models, etc. However, since I'll only be issuing certificates to my ACS servers, do I really need more than a single certificate server?

It's a global organization with 3 offices and an ACS server at each office. I'm guessing clients only need to contact the CA server at renewal time and not otherwise. Hence, can I simply make do with a single root CA and a sub-ordinate backup CA?


Re: Certificates question

If your using peap, only the acs servers need a signed certificate. The users need a ca certificate so your correct setting up multiple ca's is not usefull document on configuring an ms certificate server:

CreatePlease to create content