Re: Should I install my own CA for use with OWA?
From: mmac (no_at_thank.you)
Date: Mon, 19 Jul 2004 23:14:31 -0700
> 1. Not sure.
Does that mean it doesn't matter which one I put it on?
> 2. Not much will change on the LAN. If you are using Microsoft Certificate
> Services you should factor in backup/restore of the CA. Additionally, once
> you make a machine a MS Certificate Services server, you can no longer
> promote it to a DC (if it's a member server), nor demote it (if it's
> a DC)
Thats because the certs would become invalid if I did, isn't that right?
> 3. I would suggest an AD-integrated CA. This means that machines in your
> domain automatically trust the CA, and users using those machines (eg
> laptops) will not get a warning about the certificate being issued by an
> untrusted CA. That's a minor plus. The other alternatives are (a) buy an
> certificate from a trusted 3rd party vendor (eg Thawte, Verisign,
> or (b) have the users put up wth the warning or (c) manually install the
> CA's root cert into the user's certificate store
Both types can be AD integrated, the enterprise version is manditory, the
standalone will use it if available. But use it how?
I have seen a script to install the cert in the trusted zones and I can
certainly install them into each users machine manually if I had to so that
doesn't bother me too much. But which one are you referring to when you say
AD integrated? It sound like enterprise?
> "mmac" <email@example.com> wrote in message
> > Using win2k, exchange 2k.
> > I need to enable Outlook Web Access for my traveling people, I
> > that to do this properly I need to use using SSL. I know next to
> > about this subject so I am running through a technet article on the
> > and here are the first questions that come to mind, All this is assuming
> > that I should install my own CA. If I shouldn't why not?
> > 1. I have a webserver, email server, and streaming media server, would
> > matter which one I installed CA on?
> > 2. Will anything on my existing LAN change when this is completed that I
> > would have to advise users about? Does this become a part of daily life
> > only when the OWA is accessed?
> > 3.Should I use an Enterprise CA or StandAlone? All legitimate users
> > obviously have an email account and therefore be in AD so it seems that
> > would want the Enterprise style. However, the OWA would be accessed from
> > over the world on any number of outside networks. Does it matter where
> > OWA would be accessed from?
> > 4. how long should I make the Certs Valid for?
> > 5. What good would a subordinate CA be for me? If I understand it
> > none?
> > I will have a bunch more but this is a start. Help?