Must be a great book! ;) http://www.amazon.com/gp/offer-listing/B004RP438O/ref=dp_olp_new?ie=UTF8&condition=new
-----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 03, 2012 4:17 PM To: NT System Admin Issues Subject: Re: Certificate authority No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, <jwalt...@specservices.com> wrote: > We will be installing Microsoft Lync here very soon and I need to have > a certificate authority running. To date, we’ve not had a need to > stand one up and from the research I’ve done, it seems there are a > number of ways to go – three tier, two, standalone. > > > > Our needs are for Lync, maybe some certs for some smart phones and > some internal software we’ve written so it’s not a complicated system > from our perspective. At least not for the short term. I obviously > don’t want to do something that I’ll regret later and was looking for > some advice from other who have traveled these roads and learned what to do, > and what not to do. > > > > From my research, I think a two tier system will work but I’m not real > clear at this point how you have an offline CA (for security purposes) > and subordinate CA’s to hand our certs. Still reading up on all that. > > > > Am I overthinking all this as my Lync installer suggests? He said > that I should just install the certificate role on a DC and that would > be that. I think they might be better at installing and configuring > Lync than they are at designing certificate authorities as my research > indicates doing that is not the best way to go. > > Can anyone share their experiences as time is short and I need to > decide what CA to stand up. > > > > Any advice would be appreciated. > > > > Thanks > > > > Jim > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
