Re: SBS 2003 Premium and Cert Services
From: tester (tester_at_testthis.net)
Date: 02/09/05
- Next message: Pedro: "Re: RealTek vs Another Brand"
- Previous message: yorkiechris: "Client Internet old chestnut"
- In reply to: Chad A Gross [SBS-MVP]: "Re: SBS 2003 Premium and Cert Services"
- Next in thread: MCSEGURU: "Re: SBS 2003 Premium and Cert Services"
- Reply: MCSEGURU: "Re: SBS 2003 Premium and Cert Services"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 9 Feb 2005 08:17:06 -0700
thanks for the explanation Chad.
SO, in summary, you do not recommend putting it on the SBS server, but
rather on a seperate server, and one that is not a file server or an
exchange server. What about a sharepoint portal server that also hosts
other web sites internal and external? Would that be a satisfactory place?
An I will spend the money for sure.
"Chad A Gross [SBS-MVP]" <chad.gross@laytonflower.nospam.com> wrote in
message news:ueqtgxmDFHA.4020@TK2MSFTNGP14.phx.gbl...
> (I'm using 'you' in a generic sense here - not referring to you (MCSEGURU)
> specifically ;^)
>
> Well, that is the preferred setup as far as the Certificate Services
> configuration is concerned - and you absolutely, positiviely don't want to
> expose Certificiate Services to the web when it's running on an SBS. Due
> to security concerns, public-facing Certificate Servers should not be a
> DC, or an Exchange server, or a file server, or all of these rolled up
> into one.
>
> Now, you could get around this by either manually distributing your CA
> Cert, or you could edit the properties of your Certification Authority to
> include a different public URL where the CA Cert lives, then upload the CA
> Cert to that location. This still doesn't keep the process as streamlined
> as it normally should be - but you don't have to manually distribute the
> CA Cert either. The thing is that foreign users will not be able to
> install any certs you create until they trust you as a CA, which requires
> installing your CA Cert. So for example, if a foreign user browsed to an
> SSL-encrypted web site that was using an SSL Cert you created, they'd get
> a security warning indicating that the certificate was issued by a company
> they haven't chosen to trust. The user would have to view the
> certificate, then go to the certification path, select the CA (you) and
> view that certificiate (which would open the CA Cert uploaded to the
> public URL). The foreign user could then install the CA Cert, adding you
> as a trusted CA, return to the SSL certificate and install the SSL cert,
> then continue to the encrypted page.
>
> And just think - for $100 you could purchase a cert from a trusted root CA
> which means that no one would have to install anything - it's all verified
> in the background without any user intervention . . . Which makes for
> happy customers & partners :^)
>
> --
> Chad A. Gross [SBS-MVP]
>
> SBS ROCKS!!!
>
> "MCSEGURU" <mcseguruhere@aol.com> wrote in message
> news:urwpmbmDFHA.2824@tk2msftngp13.phx.gbl...
>> Additionally,
>>
>> Please correct me if I'm wrong, I don't claim to be the "be all end all"
>> expert on much of anything. Technology changes way too fast for me to
>> keep up in every market.
>>
>> You may have to publish your Cert SVR (ie. to the web) in order for it to
>> issue User Certs for each session on the fly. I think when using certs
>> for authentication the session verifies the user, and then creates a
>> session cert based upon successful authentication of the user combined
>> with the machine id (ie. user and the hardware or node) upon session
>> negotiation. But, I could be way off here, I think there are mulitple
>> ways of implementing certificates for encryption and authentication.
>>
>> Maybe others know more about other ways of implementing this.
>>
>>
>> "Chad A Gross [SBS-MVP]" <chad.gross@laytonflower.nospam.com> wrote in
>> message news:OhLiLpkDFHA.1936@TK2MSFTNGP14.phx.gbl...
>>> It doesn't cost - but if you don't purchase a root CA cert, it's going
>>> to be a PITA. You mention secure email as an example. In order to do
>>> this, you're going to have to distribute your self-created root CA cert
>>> to everyone in addition to any certs you create. The remote users can
>>> trust you (as a root CA) and the certs you issue, but it's not as
>>> straight-forward as it would be otherwise.
>>>
>>> Not to mention that most corporate use policies will prohibit trusting a
>>> self-created root CA cert . . . And certs are coming way down in
>>> price, which makes it harder to justify being your own CA and the
>>> support issues involved with it. One example:
>>>
>>> Cheap SSL Certificate:
>>> http://www.digicert.com/digid.html
>>>
>>> And I think I've even seen somewhere offering certs for under $50 - but
>>> I can't remember where I saw it . . . :^)
>>>
>>> --
>>> Chad A. Gross [SBS-MVP]
>>>
>>> SBS ROCKS!!!
>>>
>>> "tester" <tester@testthis.net> wrote in message
>>> news:110i5g89vgpgf45@corp.supernews.com...
>>>> that's what I thought, so there is no real issue loading cert svs on
>>>> the sbs then right?
>>>> I'm going untrusted for now. but in development we want to mess with
>>>> mapping users to certs for other applicaitons, secure email using
>>>> certs, etc. since it would not costs us to implement this then it was
>>>> looked at as an alternative for now.
>>>>
>>>> "MCSEGURU" <mcseguruhere@aol.com> wrote in message
>>>> news:OEDix4gDFHA.3648@TK2MSFTNGP10.phx.gbl...
>>>>> Do you care if your certs are "trusted" by your remote computers? If
>>>>> so, do you intend on installing your root CA cert on their computers,
>>>>> or will you purchase a root CA cert from a trusted Root CA? If you
>>>>> are considering purchasing a root CA cert from a trusted Root CA, you
>>>>> might be better off (cost wise) to purchase a certificate solution
>>>>> from a provider. Trusted Root CA certificates can be expensive.
>>>>>
>>>>> If however, you take the no cost route, and have all your remote users
>>>>> install your "un-trusted" root CA on all their remote computers, you
>>>>> may be able to issue user certs for single sign on.
>>>>>
>>>>>
>>>>>
>>>>> "tester" <tester@testthis.net> wrote in message
>>>>> news:110hvhtlhg5hf70@corp.supernews.com...
>>>>>> Thanks Mariana for the response,
>>>>>> I know that SBS creates it's own but it isn't just certs for SBS, I
>>>>>> want it (the CA) to issue certs for tother servers, for users, etc.
>>>>>> That is why I figured I'd load it on my main server. Since that is
>>>>>> an SBS box I thought I'd look for some more expert opinion.
>>>>>>
>>>>>> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
>>>>>> message news:%237KYsagDFHA.148@TK2MSFTNGP14.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> SBS doesn't need the certificate services as it creates its own
>>>>>>> certificate.
>>>>>>> Just run the CEICW wizard.
>>>>>>>
>>>>>>> --
>>>>>>> Regards,
>>>>>>>
>>>>>>> Marina
>>>>>>> Microsoft SBS-MVP
>>>>>>> One of the Magical M&M's
>>>>>>>
>>>>>>> "tester" <tester@testthis.net> schreef in bericht
>>>>>>> news:110htlf4jds2u6b@corp.supernews.com...
>>>>>>>> I am thinking of loading certificate services on my sbs premium
>>>>>>>> server
>>>>>>> (with
>>>>>>>> ISA on it and a HDW firewall in front of it) to issue my own certs
>>>>>>>> for
>>>>>>>> sharepoint single sign on and for Outlook as well as for some other
>>>>>>> internal
>>>>>>>> applications. Anything I need to look out for before? anyone have
>>>>>>>> a how
>>>>>>> to
>>>>>>>> or is it simply add it then configure?
>>>>>>>>
>>>>>>>> I want to set it up as the top level ca for the
>>>>>>>> domain/organization. Am I
>>>>>>>> better off loading it on another server? I have a server that will
>>>>>>>> host
>>>>>>>> sharepoint portal and a few other web sites, internal and external,
>>>>>>>> as
>>>>>>> well
>>>>>>>> as lcs 2005 so I guess I could put it there. Ideas? Opinions?
>>>>>>>> Never really had CS loaded so am just toying with the idea at the
>>>>>>>> moment.
>>>>>>>> Seems like it might be a good thing to put on the network.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Pedro: "Re: RealTek vs Another Brand"
- Previous message: yorkiechris: "Client Internet old chestnut"
- In reply to: Chad A Gross [SBS-MVP]: "Re: SBS 2003 Premium and Cert Services"
- Next in thread: MCSEGURU: "Re: SBS 2003 Premium and Cert Services"
- Reply: MCSEGURU: "Re: SBS 2003 Premium and Cert Services"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
