IMHO, look at what purposes you need a CA for. If it's just to have a CA issue certs for content inspection, or a few SSL certs, then I'm not sure the overhead of an offline CA is worth it.
If you're able to get hold of one of Brian Komar's books, it has good guidance on CA hierarchies and when/why you should have them. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Tuesday, 14 October 2014 2:35 PM To: [email protected] Subject: RE: [NTSysADM] Windows CA Server +1 Jon > Date: Mon, 13 Oct 2014 19:36:29 -0700 > Subject: Re: [NTSysADM] Windows CA Server > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > > No particular gotchas, but my preference would be to use the > latest/greatest versions of server, and please do make sure you make > it a 2-tier CA infrastructure, keeping the root offline. > > Just read the docs, carefully and multiple times (at least three!), > before you start. > > Kurt > > On Mon, Oct 13, 2014 at 3:57 PM, Matthew W. Ross > <[email protected]<mailto:[email protected]>> wrote: > > We have been happily getting by without doing SSL inspection on our content > > filter. Now, it seems that we may need to take that next step. > > > > I'm making a windows CA server on our VMWare cluster now. > > > > Before I get too deep, any "gotchas" I should be looking for? Looking into > > this, it looks like I might be diving right into the deep end. Time for a > > lot of reading... > > > > > > --Matt Ross > > Ephrata School District > > > >
