Click here to get back home

Root Certificate Authority
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Root Certificate Authority g18c 10-22-2006
Posted by g18c on October 22, 2006, 6:35 am
Please log in for more thread options
 Hi, i have 2 domain controllers and a need for a RADIUS authenticated
wifi extension of our intranet.

As i understand it, to get good security i should use RADIUS and
certificates. However i will require a certificate server. I have read
about having a standalone root certificate server but this would mean
buying new kit. Is it ok to run my root CA on one of my servers? Can i
just use a not-so-good computer as my root CA, backup the certificate
and take it offline?

Any pointers much appreciated.

Cheers,

Chris


Posted by Gary Reynolds on October 22, 2006, 2:44 pm
Please log in for more thread options
Hi Chris,

If you intend to use a single tier PKI then an existing server should be
fine for the job. I'm not sure what you are going to use the RADIUS
server for, but this also has a role in determining the server selection. If
you are going to use it for 802.1x authentication the CA must be an
enterprise CA. The other thing you have to consider is the OS version of the
server. You will need Windows 2003 Enterprise to support autorollment,
automatic distribution of certificates to clients.

Here are a couple of links that may help:

Understanding 802.1x
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/8021x_client_configure.mspx
More 802.1x stuff
http://technet2.microsoft.com/WindowsServer/f/?en/library/020c2fcb-e19d-42ef-a88f-a4697be5f69b1033.mspx
Windows 2003 PKI Operational Guide
http://technet2.microsoft.com/WindowsServer/f/?en/Library/e1d5a892-10e1-417c-be13-99d7147989a91033.mspx


Managing Windows 2003 PKI
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx


The best source of information on PKI is the Microsoft Windows Server 2003
PKI Certificate Security by Brian Komar IBSN: 0-7356-2021-0
This contains examples on how to setup most PKI configuration and has an
excellent introduction into PKI

Gary.


> Hi, i have 2 domain controllers and a need for a RADIUS authenticated
> wifi extension of our intranet.
>
> As i understand it, to get good security i should use RADIUS and
> certificates. However i will require a certificate server. I have read
> about having a standalone root certificate server but this would mean
> buying new kit. Is it ok to run my root CA on one of my servers? Can i
> just use a not-so-good computer as my root CA, backup the certificate
> and take it offline?
>
> Any pointers much appreciated.
>
> Cheers,
>
> Chris
>



Posted by Brian Komar [MVP] on October 22, 2006, 5:51 pm
Please log in for more thread options
g18c@hotmail.com says...
> Hi, i have 2 domain controllers and a need for a RADIUS authenticated
> wifi extension of our intranet.
>
> As i understand it, to get good security i should use RADIUS and
> certificates. However i will require a certificate server. I have read
> about having a standalone root certificate server but this would mean
> buying new kit. Is it ok to run my root CA on one of my servers? Can i
> just use a not-so-good computer as my root CA, backup the certificate
> and take it offline?
>
> Any pointers much appreciated.
>
> Cheers,
>
> Chris
>
>
If at all possible, do not put the root CA on the same computer as a
domain controller. Once installed, you cannot move the CA to a computer
with a different name, nor can you rename the computer once Certificate
Services is installed.
Too many customers forget this when they install CAs on domain
controllers and then wish to move Certificate Services at a later date.
Brian

Similar ThreadsPosted
How to tell if Certificate Authority is root, stand-alone or? February 8, 2007, 10:27 am
Certification Authority root certificate seems to have expired early??? September 25, 2006, 4:40 pm
Root certificate authority no longer added to client machines July 14, 2006, 4:05 pm
Migrate Enterprise root authority CA to stand-alone root CA December 13, 2005, 7:57 am
Enterprise Root Certification Authority not trusted February 16, 2006, 2:07 pm
Create Certificate Request for Windows2003 certificate authority without using website March 22, 2006, 8:07 am
PEM file with certificate authority? February 6, 2007, 10:56 am
Re: Rendom and certificate authority on DC June 5, 2007, 11:25 am
Searching Certificate Authority September 17, 2007, 6:02 pm
Clustering Certificate Authority Server November 21, 2005, 5:27 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap