The Komar book is worth getting (well, not for $7000!). I've got both editions - at the moment I think it's the best book out there.
Two-tier vs One Tier: a) what are you doing to do if the issuing CA is compromised, or needs to be rebuilt? If you have a system to remove the old root CA cert from your clients (e.g. you don't have 10K+ clients) -and- you are using this for internal use only (i.e. no external users/partners etc.) then maybe a one-tier solution is fine b) if you have external parties connected to your infrastructure or you have many clients, such that removing the old root CA cert is a hassle), then you need at least a two-tier solution. That allows you to revoke the issuing CA's cert, and distribute the new ICA's cert. Note that you need somewhere (preferably more than one location) to host a CRL, so that clients are aware of the revocation. c) the more certs you issue, then issuing CA rebuild/compromise becomes more of an issue - you need to ensure that everyone knows that all of the issued certs are no longer valid. So a resilient CRL is important, and having a root CA that can revoke the ICA cert, and authorise/sign a new ICA cert is important Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, 4 July 2012 10:14 AM To: NT System Admin Issues Subject: Re: Certificate authority Yeah, I swallowed hard and turned away when I saw those, too. However, I can also point you at some good reading material in Technet. Start here, and follow the bouncing ball: http://technet.microsoft.com/en-us/library/cc772393%28v=WS.10%29.aspx On Tue, Jul 3, 2012 at 4:48 PM, <[email protected]> wrote: > Seems the e-book for $50 might be the best way to go as the paperback ones > are a tad steep! Must be a signed copy :) > > http://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Daps&field- > keywords=Windows+Server%AE+2008+PKI+and+Certificate+Security > > Jim > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] Sent: Tuesday, July 03, > 2012 4:17 PM > To: NT System Admin Issues > Subject: Re: Certificate authority > > No, you are not overthinking this. > > It's not extremely complicated, but it's very good to do all of your reading > and get your ducks all in a row before you start this. > > I went with a two-tier installation - the root CA is a VM that's shut down > and copied to a portable disk, and is not a member of the domain. > > Make sure that you note when your CRL expires, so that you can bring up your > root CA in time to generate a new one. > > If you want to get more depth on the subject, I recommend this book (only > available as an ebook, unfortunately): > http://shop.oreilly.com/product/9780735625167.do > > Kurt > > On Tue, Jul 3, 2012 at 3:48 PM, <[email protected]> wrote: >> We will be installing Microsoft Lync here very soon and I need to have > a >> certificate authority running. To date, we’ve not had a need to > stand one >> up and from the research I’ve done, it seems there are a > number of ways to >> go – three tier, two, standalone. >> >> >> >> Our needs are for Lync, maybe some certs for some smart phones and > some >> internal software we’ve written so it’s not a complicated system > from our >> perspective. At least not for the short term. I obviously > don’t want to >> do something that I’ll regret later and was looking for > some advice from >> other who have traveled these roads and learned what to do, and what not to >> do. >> >> >> >> From my research, I think a two tier system will work but I’m not real > >> clear at this point how you have an offline CA (for security purposes) > and >> subordinate CA’s to hand our certs. Still reading up on all that. >> >> >> >> Am I overthinking all this as my Lync installer suggests? He said > that I >> should just install the certificate role on a DC and that would > be that. >> I think they might be better at installing and configuring > Lync than they >> are at designing certificate authorities as my research > indicates doing >> that is not the best way to go. >> >> Can anyone share their experiences as time is short and I need to > decide >> what CA to stand up. >> >> >> >> Any advice would be appreciated. >> >> >> >> Thanks >> >> >> >> Jim >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
