The Komar PKI book is excellent... I bought the paperback a year ago for $28 -- it's rather strange to see the e-book at a premium over this, and the paperback at 10x, but that aside it's a very fine guide to understanding PKI generally and especially worthwhile to get how Windows uses it, even if you have lots of experience with things like PGP, OpenSSL CAs, etc.
--Steve On Tue, Jul 3, 2012 at 7:17 PM, Kurt Buff <[email protected]> wrote: > No, you are not overthinking this. > > It's not extremely complicated, but it's very good to do all of your > reading and get your ducks all in a row before you start this. > > I went with a two-tier installation - the root CA is a VM that's shut > down and copied to a portable disk, and is not a member of the domain. > > Make sure that you note when your CRL expires, so that you can bring > up your root CA in time to generate a new one. > > If you want to get more depth on the subject, I recommend this book > (only available as an ebook, unfortunately): > http://shop.oreilly.com/product/9780735625167.do > > Kurt > > On Tue, Jul 3, 2012 at 3:48 PM, <[email protected]> wrote: >> We will be installing Microsoft Lync here very soon and I need to have a >> certificate authority running. To date, we’ve not had a need to stand one >> up and from the research I’ve done, it seems there are a number of ways to >> go – three tier, two, standalone. >> >> >> >> Our needs are for Lync, maybe some certs for some smart phones and some >> internal software we’ve written so it’s not a complicated system from our >> perspective. At least not for the short term. I obviously don’t want to do >> something that I’ll regret later and was looking for some advice from other >> who have traveled these roads and learned what to do, and what not to do. >> >> >> >> From my research, I think a two tier system will work but I’m not real clear >> at this point how you have an offline CA (for security purposes) and >> subordinate CA’s to hand our certs. Still reading up on all that. >> >> >> >> Am I overthinking all this as my Lync installer suggests? He said that I >> should just install the certificate role on a DC and that would be that. I >> think they might be better at installing and configuring Lync than they are >> at designing certificate authorities as my research indicates doing that is >> not the best way to go. >> >> Can anyone share their experiences as time is short and I need to decide >> what CA to stand up. >> >> >> >> Any advice would be appreciated. >> >> >> >> Thanks >> >> >> >> Jim >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
