Thanks for the great comments.  I'll revisit the design with the vendor helping 
me implement the solution.  It seems clear that I should be using a commercial 
cert for the edge services - access.xyz.com, webcon.xyz.com, av.xyz.com.

In addition to the needs for my Lync installation, I had originally intended to 
use an internal CA to issue certs to company laptops and cell phones in the 
case where management chooses to want to limit access to outlook anywhere and 
activesync to only company issued devices.  Does that sound reasonable or is 
there a better way to limit access to such things to company issued devices 
should that be their whim?

Jim

From: William Robbins [mailto:[email protected]]
Sent: Wednesday, July 04, 2012 9:21 AM
To: NT System Admin Issues
Subject: Re: Certificate authority

I'd have to concur, especially if federating is in your Lync future.

Besides that if you are utilizing smart phones/3rd party software it's much 
easier to use certs from an already trusted external CA.  Otherwise you'll need 
to install Root CA chains on your devices for your internal CA.

We ended up using a hybrid of internal and external certs, but our internal PKI 
is mature, and we used 3rd party certs for all the Edge's.

 - Will

On Wed, Jul 4, 2012 at 11:04 AM, Brian Desmond 
<[email protected]<mailto:[email protected]>> wrote:
Why does installing Lync necessitate a CA? Just get the certs from a commercial 
CA.

Thanks,
Brian Desmond
[email protected]<mailto:[email protected]>

w - 312.625.1438<tel:312.625.1438> | c   - 312.731.3132<tel:312.731.3132>

From: [email protected]<mailto:[email protected]> 
[mailto:[email protected]<mailto:[email protected]>]
Sent: Tuesday, July 03, 2012 5:49 PM

To: NT System Admin Issues
Subject: Certificate authority

We will be installing Microsoft Lync here very soon and I need to have a 
certificate authority running.  To date, we've not had a need to stand one up 
and from the research I've done, it seems there are a number of ways to go - 
three tier, two, standalone.

Our needs are for Lync, maybe some certs for some smart phones and some 
internal software we've written so it's not a complicated system from our 
perspective.  At least not for the short term.  I obviously don't want to do 
something that I'll regret later and was looking for some advice from other who 
have traveled these roads and learned what to do, and what not to do.

>From my research, I think a two tier system will work but I'm not real clear 
>at this point how you have an offline CA (for security purposes) and 
>subordinate CA's to hand our certs.  Still reading up on all that.

Am I overthinking all this as my Lync installer suggests?  He said that I 
should just install the certificate role on a DC and that would be that.  I 
think they might be better at installing and configuring Lync than they are at 
designing certificate authorities as my research indicates doing that is not 
the best way to go.

Can anyone share their experiences as time is short and I need to decide what 
CA to stand up.

Any advice would be appreciated.

Thanks

Jim


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to