PKI Issuing CA on Domain Controllers

Posted by dunxd on Server Fault See other posts from Server Fault or by dunxd
Published on 2010-12-30T11:25:42Z Indexed on 2010/12/30 11:56 UTC
Read the original article Hit count: 340

Filed under:

active-directory

|

pki

I am setting up a PKI which will initially be used internally. As we may grow our use of this I have opted for a three tier hierarchy - Offline Root and Policy CAs (one Policy CA at the moment for internal use), and online issuing CAs. We had initially discussed using our Domain Controllers as the Issuing CAs rather than setting up dedicated ones.

I am now starting to have doubts about whether it is a good idea to have our DCs do certificate issuing. We have less than 1000 users, so our DCs aren't hugely taxed.

Does anyone have any suggestions for or against doing this?

We are currently running Windows 2003 Active Directory, but will be upgrading to Windows 2008 in the coming year. I'm setting up Windows 2008 PKI.

© Server Fault or respective owner

Related posts about active-directory

Can't join OS X Mavericks to AD Domain

as seen on Server Fault - Search for 'Server Fault'
I'm attempting to join an OS X Mavericks (10.9) client to a Windows Server 2008 Active Directory domain, however the bind fails with this error in the OS X client's system.log: Oct 24 15:03:15 host.domain.com com.apple.preferences.users.remoteservice[5547]: -[ODCAddServerSheetController handleOtherActionError:… >>> More
Retrieve user details from Active Directory using SID

as seen on Server Fault - Search for 'Server Fault'
Hi, How can I find a user in my AD when I have his/her SID. I don't want to rely on other attributes, since I am trying to detect changes to these. Example: I get a message about a change to user record containing: Message: User Account Changed: Target Account Name: test12 Target… >>> More
Retrieve user details from Active Directory using GUID

as seen on Server Fault - Search for 'Server Fault'
Hi, How can I find a user in my AD when I have his/her GUID. I don't want to rely on other attributes, since I am trying to detect changes to these. >>> More
Retrieve user details from Active Directory using GUID [closed]

as seen on Super User - Search for 'Super User'
Hi, How can I find a user in my AD when I have his/her GUID. I don't want to rely on other attributes, since I am trying to detect changes to these. >>> More
Office365 DirSync Active Directory Integration

as seen on Server Fault - Search for 'Server Fault'
I am preparing to deploy Office365 for my organization. We have an on premise Active Directory Domain Controller (Windows Server 2012 R2). We would like to leverage our Active Directory for: automatic user provisioning in Office365, and password synchronization, using the DirSync tool. Our Active… >>> More

Related posts about pki

Microsoft PKI or PKI Vendor ?

as seen on Super User - Search for 'Super User'
I have a question related to PKI Infrastructure , should an organization go with Microsoft PKI or an independent separate PKI Infrastructure ? Is there any licensing restrictions if I user Microsoft PKI Infrastructure ? Or should I get an independent PKI infrastructure from a vendor that offer PKI… >>> More
Microsoft PKI or PKI Vendor ?

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a question related to PKI Infrastructure , should an organization go with Microsoft PKI or an independent separate PKI Infrastructure ? Is there any licensing restrictions if I user Microsoft PKI Infrastructure ? Or should I get an independent PKI infrastructure from a vendor that offer PKI… >>> More
PKI Issuing CA on Domain Controllers

as seen on Server Fault - Search for 'Server Fault'
I am setting up a PKI which will initially be used internally. As we may grow our use of this I have opted for a three tier hierarchy - Offline Root and Policy CAs (one Policy CA at the moment for internal use), and online issuing CAs. We had initially discussed using our Domain Controllers as the… >>> More
Inscription automatique de certificats avec une PKI sous Windows Server 2008 R2, par Michaël Todorov

as seen on Developper.com - Search for 'Developper.com'
Cet article va vous permettre d'apprendre à configurer l'inscription automatique de certificats pour vos utilisateurs et ordinateurs sous Windows Server 2008 R2. >>> More
Using SSL on slapd

as seen on Server Fault - Search for 'Server Fault'
I am setting up slapd to use SSL on Fedora 14. I have the following in my /etc/openldap/slapd.d/cn=config.ldif: olcTLSCACertificateFile: /etc/pki/tls/certs/SSL_CA_Bundle.pem olcTLSCertificateFile: /etc/pki/tls/certs/mydomain.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/mydomain.key olcTLSCipherSuite:… >>> More