Re: SBS 2003 Premium and Cert Services

From: Chad A Gross [SBS-MVP] (chad.gross_at_laytonflower.nospam.com)
Date: 02/09/05 

Date: Tue, 8 Feb 2005 19:53:50 -0600

It doesn't cost - but if you don't purchase a root CA cert, it's going to be
a PITA. You mention secure email as an example. In order to do this,
you're going to have to distribute your self-created root CA cert to
everyone in addition to any certs you create. The remote users can trust
you (as a root CA) and the certs you issue, but it's not as straight-forward
as it would be otherwise.

Not to mention that most corporate use policies will prohibit trusting a
self-created root CA cert . . . And certs are coming way down in price,
which makes it harder to justify being your own CA and the support issues
involved with it. One example:

Cheap SSL Certificate:
http://www.digicert.com/digid.html

And I think I've even seen somewhere offering certs for under $50 - but I
can't remember where I saw it . . . :^) 

-- 
Chad A. Gross  [SBS-MVP]
SBS ROCKS!!!
"tester" <tester@testthis.net> wrote in message 
news:110i5g89vgpgf45@corp.supernews.com...
> that's what I thought, so there is no real issue loading cert svs on the 
> sbs then right?
> I'm going untrusted for now.  but in development we want to mess with 
> mapping users to certs for other applicaitons, secure email using certs, 
> etc.  since it would not costs us to implement this then it was looked at 
> as an alternative for now.
>
> "MCSEGURU" <mcseguruhere@aol.com> wrote in message 
> news:OEDix4gDFHA.3648@TK2MSFTNGP10.phx.gbl...
>> Do you care if your certs are "trusted" by your remote computers?  If so, 
>> do you intend on installing your root CA cert on their computers, or will 
>> you purchase a root CA cert from a trusted Root CA?  If you are 
>> considering purchasing a root CA cert from a trusted Root CA, you might 
>> be better off (cost wise) to purchase a certificate solution from a 
>> provider. Trusted Root CA certificates can be expensive.
>>
>> If however, you take the no cost route, and have all your remote users 
>> install your "un-trusted" root CA on all their remote computers, you may 
>> be able to issue user certs for single sign on.
>>
>>
>>
>> "tester" <tester@testthis.net> wrote in message 
>> news:110hvhtlhg5hf70@corp.supernews.com...
>>> Thanks Mariana for the response,
>>> I know that SBS creates it's own but it isn't just certs for SBS, I want 
>>> it (the CA) to issue certs for tother servers, for users, etc.  That is 
>>> why I figured I'd load it on my main server.  Since that is an SBS box I 
>>> thought I'd look for some more expert opinion.
>>>
>>> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in 
>>> message news:%237KYsagDFHA.148@TK2MSFTNGP14.phx.gbl...
>>>> Hi,
>>>>
>>>> SBS doesn't need the certificate services as it creates its own 
>>>> certificate.
>>>> Just run the CEICW wizard.
>>>>
>>>> -- 
>>>> Regards,
>>>>
>>>> Marina
>>>> Microsoft SBS-MVP
>>>> One of the Magical M&M's
>>>>
>>>> "tester" <tester@testthis.net> schreef in bericht
>>>> news:110htlf4jds2u6b@corp.supernews.com...
>>>>> I am thinking of loading certificate services on my sbs premium server
>>>> (with
>>>>> ISA on it and a HDW firewall in front of it) to issue my own certs for
>>>>> sharepoint single sign on and for Outlook as well as for some other
>>>> internal
>>>>> applications.  Anything I need to look out for before? anyone have a 
>>>>> how
>>>> to
>>>>> or is it simply add it then configure?
>>>>>
>>>>> I want to set it up as the top level ca for the domain/organization. 
>>>>> Am I
>>>>> better off loading it on another server?  I have a server that will 
>>>>> host
>>>>> sharepoint portal and a few other web sites, internal and external, as
>>>> well
>>>>> as lcs 2005 so I guess I could put it there.  Ideas? Opinions?
>>>>> Never really had CS loaded so am just toying with the idea at the 
>>>>> moment.
>>>>> Seems like it might be a good thing to put on the network.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Newbie wants to learn about PKI Server 2003......
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • Newbie wants to learn about PKI Server 2003.....
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise root CA not re-trusted after manually deleted
    ... published) autoenrollment queries AD for CA certs and installs them. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... If root CA certificates are distributed using autonenrollment (meaning ...
    (microsoft.public.windows.server.security)
  • Re: How to extend validity period of Sub CA
    ... > I have an offline root CA ... > Any certs they issue to computers in AD expire in 2006 ... You have to start at the root CA computer and extend the validity period ... Then you have to set the validity periods for certificates issued by the ...
    (microsoft.public.win2000.security)
  • Re: SBS 2003 Premium and Cert Services
    ... Do you care if your certs are "trusted" by your remote computers? ... purchase a root CA cert from a trusted Root CA? ... > I know that SBS creates it's own but it isn't just certs for SBS, ...
    (microsoft.public.windows.server.sbs)