RE: Certificate authority
Thanks for the great comments. I'll revisit the design with the vendor helping me implement the solution. It seems clear that I should be using a commercial cert for the edge services - access.xyz.com, webcon.xyz.com, av.xyz.com. In addition to the needs for my Lync installation, I had originally intended to use an internal CA to issue certs to company laptops and cell phones in the case where management chooses to want to limit access to outlook anywhere and activesync to only company issued devices. Does that sound reasonable or is there a better way to limit access to such things to company issued devices should that be their whim? Jim From: William Robbins [mailto:dangerw...@gmail.com] Sent: Wednesday, July 04, 2012 9:21 AM To: NT System Admin Issues Subject: Re: Certificate authority I'd have to concur, especially if federating is in your Lync future. Besides that if you are utilizing smart phones/3rd party software it's much easier to use certs from an already trusted external CA. Otherwise you'll need to install Root CA chains on your devices for your internal CA. We ended up using a hybrid of internal and external certs, but our internal PKI is mature, and we used 3rd party certs for all the Edge's. - Will On Wed, Jul 4, 2012 at 11:04 AM, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com wrote: Why does installing Lync necessitate a CA? Just get the certs from a commercial CA. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438tel:312.625.1438 | c - 312.731.3132tel:312.731.3132 From: jwalt...@specservices.commailto:jwalt...@specservices.com [mailto:jwalt...@specservices.commailto:jwalt...@specservices.com] Sent: Tuesday, July 03, 2012 5:49 PM To: NT System Admin Issues Subject: Certificate authority We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we've not had a need to stand one up and from the research I've done, it seems there are a number of ways to go - three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we've written so it's not a complicated system from our perspective. At least not for the short term. I obviously don't want to do something that I'll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I'm not real clear at this point how you have an offline CA (for security purposes) and subordinate CA's to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificate authority
That's one way, but it could be circumvented. You can just disable those features on the mailbox of folks you don't want connecting: http://technet.microsoft.com/en-us/library/bb125264.aspx And you can maintain the ABQ list for devices that can/can't connect: http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx - Will On Thu, Jul 5, 2012 at 8:17 AM, jwalt...@specservices.com wrote: Thanks for the great comments. I’ll revisit the design with the vendor helping me implement the solution. It seems clear that I should be using a commercial cert for the edge services - access.xyz.com, webcon.xyz.com, av.xyz.com. ** ** In addition to the needs for my Lync installation, I had originally intended to use an internal CA to issue certs to company laptops and cell phones in the case where management chooses to want to limit access to outlook anywhere and activesync to only company issued devices. Does that sound reasonable or is there a better way to limit access to such things to company issued devices should that be their whim? ** ** Jim ** ** *From:* William Robbins [mailto:dangerw...@gmail.com] *Sent:* Wednesday, July 04, 2012 9:21 AM *To:* NT System Admin Issues *Subject:* Re: Certificate authority ** ** I'd have to concur, especially if federating is in your Lync future. Besides that if you are utilizing smart phones/3rd party software it's * much* easier to use certs from an already trusted external CA. Otherwise you'll need to install Root CA chains on your devices for your internal CA. We ended up using a hybrid of internal and external certs, but our internal PKI is mature, and we used 3rd party certs for all the Edge's. - Will On Wed, Jul 4, 2012 at 11:04 AM, Brian Desmond br...@briandesmond.com wrote: *Why does installing Lync necessitate a CA? Just get the certs from a commercial CA. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *w – 312.625.1438 | c – 312.731.3132* * * *From:* jwalt...@specservices.com [mailto:jwalt...@specservices.com] *Sent:* Tuesday, July 03, 2012 5:49 PM *To:* NT System Admin Issues *Subject:* Certificate authority We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
RE: Certificate authority
Why does installing Lync necessitate a CA? Just get the certs from a commercial CA. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: jwalt...@specservices.com [mailto:jwalt...@specservices.com] Sent: Tuesday, July 03, 2012 5:49 PM To: NT System Admin Issues Subject: Certificate authority We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we've not had a need to stand one up and from the research I've done, it seems there are a number of ways to go - three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we've written so it's not a complicated system from our perspective. At least not for the short term. I obviously don't want to do something that I'll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I'm not real clear at this point how you have an offline CA (for security purposes) and subordinate CA's to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificate authority
I'd have to concur, especially if federating is in your Lync future. Besides that if you are utilizing smart phones/3rd party software it's *much * easier to use certs from an already trusted external CA. Otherwise you'll need to install Root CA chains on your devices for your internal CA. We ended up using a hybrid of internal and external certs, but our internal PKI is mature, and we used 3rd party certs for all the Edge's. - Will On Wed, Jul 4, 2012 at 11:04 AM, Brian Desmond br...@briandesmond.comwrote: *Why does installing Lync necessitate a CA? Just get the certs from a commercial CA. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *w – 312.625.1438 | c – 312.731.3132* * * *From:* jwalt...@specservices.com [mailto:jwalt...@specservices.com] *Sent:* Tuesday, July 03, 2012 5:49 PM *To:* NT System Admin Issues *Subject:* Certificate authority ** ** We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. ** ** Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. ** ** From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. ** ** Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. ** ** Can anyone share their experiences as time is short and I need to decide what CA to stand up. ** ** Any advice would be appreciated. ** ** Thanks ** ** Jim ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificate authority
The Komar PKI book is excellent... I bought the paperback a year ago for $28 -- it's rather strange to see the e-book at a premium over this, and the paperback at 10x, but that aside it's a very fine guide to understanding PKI generally and especially worthwhile to get how Windows uses it, even if you have lots of experience with things like PGP, OpenSSL CAs, etc. --Steve On Tue, Jul 3, 2012 at 7:17 PM, Kurt Buff kurt.b...@gmail.com wrote: No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificate authority
No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificate authority
Thanks for the advice and I'll take a look at the book. Jim -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 03, 2012 4:17 PM To: NT System Admin Issues Subject: Re: Certificate authority No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, weve not had a need to stand one up and from the research Ive done, it seems there are a number of ways to go three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software weve written so its not a complicated system from our perspective. At least not for the short term. I obviously dont want to do something that Ill regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but Im not real clear at this point how you have an offline CA (for security purposes) and subordinate CAs to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificate authority
Seems the e-book for $50 might be the best way to go as the paperback ones are a tad steep! Must be a signed copy :) http://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Dapsfield-keywords=Windows+Server%AE+2008+PKI+and+Certificate+Security Jim -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 03, 2012 4:17 PM To: NT System Admin Issues Subject: Re: Certificate authority No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, weve not had a need to stand one up and from the research Ive done, it seems there are a number of ways to go three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software weve written so its not a complicated system from our perspective. At least not for the short term. I obviously dont want to do something that Ill regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but Im not real clear at this point how you have an offline CA (for security purposes) and subordinate CAs to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Certificate authority
Yeah, I swallowed hard and turned away when I saw those, too. However, I can also point you at some good reading material in Technet. Start here, and follow the bouncing ball: http://technet.microsoft.com/en-us/library/cc772393%28v=WS.10%29.aspx On Tue, Jul 3, 2012 at 4:48 PM, jwalt...@specservices.com wrote: Seems the e-book for $50 might be the best way to go as the paperback ones are a tad steep! Must be a signed copy :) http://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Dapsfield-keywords=Windows+Server%AE+2008+PKI+and+Certificate+Security Jim -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 03, 2012 4:17 PM To: NT System Admin Issues Subject: Re: Certificate authority No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificate authority
Must be a great book! ;) http://www.amazon.com/gp/offer-listing/B004RP438O/ref=dp_olp_new?ie=UTF8condition=new -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 03, 2012 4:17 PM To: NT System Admin Issues Subject: Re: Certificate authority No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Certificate authority
The Komar book is worth getting (well, not for $7000!). I've got both editions - at the moment I think it's the best book out there. Two-tier vs One Tier: a) what are you doing to do if the issuing CA is compromised, or needs to be rebuilt? If you have a system to remove the old root CA cert from your clients (e.g. you don't have 10K+ clients) -and- you are using this for internal use only (i.e. no external users/partners etc.) then maybe a one-tier solution is fine b) if you have external parties connected to your infrastructure or you have many clients, such that removing the old root CA cert is a hassle), then you need at least a two-tier solution. That allows you to revoke the issuing CA's cert, and distribute the new ICA's cert. Note that you need somewhere (preferably more than one location) to host a CRL, so that clients are aware of the revocation. c) the more certs you issue, then issuing CA rebuild/compromise becomes more of an issue - you need to ensure that everyone knows that all of the issued certs are no longer valid. So a resilient CRL is important, and having a root CA that can revoke the ICA cert, and authorise/sign a new ICA cert is important Cheers Ken -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, 4 July 2012 10:14 AM To: NT System Admin Issues Subject: Re: Certificate authority Yeah, I swallowed hard and turned away when I saw those, too. However, I can also point you at some good reading material in Technet. Start here, and follow the bouncing ball: http://technet.microsoft.com/en-us/library/cc772393%28v=WS.10%29.aspx On Tue, Jul 3, 2012 at 4:48 PM, jwalt...@specservices.com wrote: Seems the e-book for $50 might be the best way to go as the paperback ones are a tad steep! Must be a signed copy :) http://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Dapsfield- keywords=Windows+Server%AE+2008+PKI+and+Certificate+Security Jim -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, July 03, 2012 4:17 PM To: NT System Admin Issues Subject: Re: Certificate authority No, you are not overthinking this. It's not extremely complicated, but it's very good to do all of your reading and get your ducks all in a row before you start this. I went with a two-tier installation - the root CA is a VM that's shut down and copied to a portable disk, and is not a member of the domain. Make sure that you note when your CRL expires, so that you can bring up your root CA in time to generate a new one. If you want to get more depth on the subject, I recommend this book (only available as an ebook, unfortunately): http://shop.oreilly.com/product/9780735625167.do Kurt On Tue, Jul 3, 2012 at 3:48 PM, jwalt...@specservices.com wrote: We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we’ve not had a need to stand one up and from the research I’ve done, it seems there are a number of ways to go – three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we’ve written so it’s not a complicated system from our perspective. At least not for the short term. I obviously don’t want to do something that I’ll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. From my research, I think a two tier system will work but I’m not real clear at this point how you have an offline CA (for security purposes) and subordinate CA’s to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise
RE: Certificate Authority
there is both a KB and a technet article. even if you have never done anything with it, the AD trees have to be removed if it was an enterprise CA (which will happen naturally if you remove the CA cleanly). From: asbz...@gmail.com [asbz...@gmail.com] Sent: Tuesday, November 03, 2009 5:30 PM To: NT System Admin Issues Subject: Re: Certificate Authority IIRC, there is a document on decommissioning a Cert Server. If you've never done *anything* with it, there may be no issues. --Original Message-- From: Jeremy Anderson To: NT Issues ReplyTo: NT Issues Subject: Certificate Authority Sent: Nov 3, 2009 4:53 PM I need to retire a 2003 DC that is a certificate authority. If it is not being used for anything, can I just uninstall the CA then demote the server? Anything I sould be aware of? TIA. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificate Authority move during Windows 2008 upgrade.
I realize the article is not for W2k8, but we retired a few 2003 CAs (with other 2k3 CAs) and followed this process of backing up/restoring the CA: http://support.microsoft.com/default.aspx?scid=kb;en-us;298138 Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com blocked::blocked::http://www.prufoxroach.com/ don.gu...@prufoxroach.com From: Tim Vander Kooi [mailto:tvanderk...@expl.com] Sent: Thursday, December 18, 2008 12:36 PM To: NT System Admin Issues Subject: Certificate Authority move during Windows 2008 upgrade. I know I have seen that a number of folks on the list have started (or completed) their move to Server 2008. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues. It seems to be as simple as revoking my 2003 certs that are outstanding, uninstalling the 2003 CA, and then installing a CA on a new 2008 DC and letting clients use the new authority. However, having completed my Exchange 2003 to 2007 migration earlier this year, I tend not to believe that these things are as easy in reality as they appear on paper. :-P Thanks for any insight you may be able to give, TVK ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificate Authority move during Windows 2008 upgrade.
Yeah, I had seen that article too, but since it makes no mention of 2008 I was curious if anyone had tried it and found that the import works as expected on the 2008 CA. It almost seems easier to go the route of revoking the existing certificates and lengthening the CRL life on the old 2003 box, and then installing and starting up a new Enterprise CA on a new server and let it take over. Then again, I am admittedly not an expert on CAs. TVK From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Friday, December 19, 2008 9:48 AM To: NT System Admin Issues Subject: RE: Certificate Authority move during Windows 2008 upgrade. I realize the article is not for W2k8, but we retired a few 2003 CAs (with other 2k3 CAs) and followed this process of backing up/restoring the CA: http://support.microsoft.com/default.aspx?scid=kb;en-us;298138 Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.comblocked::blocked::http://www.prufoxroach.com/ don.gu...@prufoxroach.commailto:don.gu...@prufoxroach.com From: Tim Vander Kooi [mailto:tvanderk...@expl.com] Sent: Thursday, December 18, 2008 12:36 PM To: NT System Admin Issues Subject: Certificate Authority move during Windows 2008 upgrade. I know I have seen that a number of folks on the list have started (or completed) their move to Server 2008. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues. It seems to be as simple as revoking my 2003 certs that are outstanding, uninstalling the 2003 CA, and then installing a CA on a new 2008 DC and letting clients use the new authority. However, having completed my Exchange 2003 to 2007 migration earlier this year, I tend not to believe that these things are as easy in reality as they appear on paper. :-P Thanks for any insight you may be able to give, TVK ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Certificate Authority move during Windows 2008 upgrade.
I just removed my CA from 2003 to 2008 yesterday. I went through a document from Microsoft that detailed all of the steps. I can't find the document itself now, but these are the steps that I went through: http://technet.microsoft.com/en-us/library/cc755153.aspx On Thu, Dec 18, 2008 at 12:36 PM, Tim Vander Kooi tvanderk...@expl.comwrote: I know I have seen that a number of folks on the list have started (or completed) their move to Server 2008. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues. It seems to be as simple as revoking my 2003 certs that are outstanding, uninstalling the 2003 CA, and then installing a CA on a new 2008 DC and letting clients use the new authority. However, having completed my Exchange 2003 to 2007 migration earlier this year, I tend not to believe that these things are as easy in reality as they appear on paper. :-P Thanks for any insight you may be able to give, TVK ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Certificate Authority move during Windows 2008 upgrade.
Note to self: PROOFREAD That should say I just *moved* On Fri, Dec 19, 2008 at 1:01 PM, Rob Bonfiglio robbonfig...@gmail.comwrote: I just removed my CA from 2003 to 2008 yesterday. I went through a document from Microsoft that detailed all of the steps. I can't find the document itself now, but these are the steps that I went through: http://technet.microsoft.com/en-us/library/cc755153.aspx On Thu, Dec 18, 2008 at 12:36 PM, Tim Vander Kooi tvanderk...@expl.comwrote: I know I have seen that a number of folks on the list have started (or completed) their move to Server 2008. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues. It seems to be as simple as revoking my 2003 certs that are outstanding, uninstalling the 2003 CA, and then installing a CA on a new 2008 DC and letting clients use the new authority. However, having completed my Exchange 2003 to 2007 migration earlier this year, I tend not to believe that these things are as easy in reality as they appear on paper. :-P Thanks for any insight you may be able to give, TVK ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificate Authority move during Windows 2008 upgrade.
Now that this subject has been brought up, anyone have good instructions to share. We are retiring our last w2k server which was a d/c and cert authority. I backed up the cert server as per ms, uninstalled cert services, ran dcpromo and then removed DNS. I guess I'll reinstall cert services just in case it is needed over the weekend. I don't think it has enough space to upgrade to 2k3 so I'm kind stuck as to how to proceed. I might try to p2v it and then upgrade to 2k3. What yall think about that idea? Any suggestions appreciated. From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] Sent: Friday, December 19, 2008 1:02 PM To: NT System Admin Issues Subject: Re: Certificate Authority move during Windows 2008 upgrade. Note to self: PROOFREAD That should say I just *moved* On Fri, Dec 19, 2008 at 1:01 PM, Rob Bonfiglio robbonfig...@gmail.com wrote: I just removed my CA from 2003 to 2008 yesterday. I went through a document from Microsoft that detailed all of the steps. I can't find the document itself now, but these are the steps that I went through: http://technet.microsoft.com/en-us/library/cc755153.aspx On Thu, Dec 18, 2008 at 12:36 PM, Tim Vander Kooi tvanderk...@expl.com wrote: I know I have seen that a number of folks on the list have started (or completed) their move to Server 2008. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues. It seems to be as simple as revoking my 2003 certs that are outstanding, uninstalling the 2003 CA, and then installing a CA on a new 2008 DC and letting clients use the new authority. However, having completed my Exchange 2003 to 2007 migration earlier this year, I tend not to believe that these things are as easy in reality as they appear on paper. :-P Thanks for any insight you may be able to give, TVK ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificate Authority move during Windows 2008 upgrade.
I completely blew up our CA system during the move from 2003 to 2008. Thankfully it is only a handful of laptop users that occasionally authenticate with certs to our wireless routers. No idea what I did wrong. Wish I could be more help. From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] Sent: Friday, December 19, 2008 1:01 PM To: NT System Admin Issues Subject: Re: Certificate Authority move during Windows 2008 upgrade. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Certificate Authority move during Windows 2008 upgrade.
That is what I would really like to avoid if at all possible. From every TechNet article I can find it appears that you have to have the same name for both servers (although I have found a couple of articles that do say that you can edit the backed up registry entries for match a new server name) and that you must have the same %windows% directory on both machines. Since neither of those rules apply to my situation I'm leaning towards going with this approach, http://support.microsoft.com/kb/889250 after which I looks like a new CA should be able to be installed on a 2008 server to start distributing new certs. I was really hoping that I wasn't the first person to try this foolishness, but maybe I am. Guess it'll be something fun to blog about assuming it all comes out the other end intact. TVK From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Friday, December 19, 2008 1:25 PM To: NT System Admin Issues Subject: RE: Certificate Authority move during Windows 2008 upgrade. I completely blew up our CA system during the move from 2003 to 2008. Thankfully it is only a handful of laptop users that occasionally authenticate with certs to our wireless routers. No idea what I did wrong. Wish I could be more help. From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] Sent: Friday, December 19, 2008 1:01 PM To: NT System Admin Issues Subject: Re: Certificate Authority move during Windows 2008 upgrade. My question is if anyone has moved their CA from 2003 to 2008 yet, and if so, have there been any issues ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~