locked
Clarifaction - Windows Server 2008 R2 Standard CA RRS feed

  • Question

  • Hi,

    I am looking for some clarifaction on deploying a Windows Server 2008 R2 Standard CA and version 2 and version 3 certificates. I currently have a Windows Server 2008 Standard CA.

    Some of the documentation I am reading states to deploy version 2 and 3 certificates, the OS needs to be:

    "Remember that version 2 certificate templates can only be issued by Enterprise CAs running on Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition." - http://technet.microsoft.com/en-us/library/cc770794(WS.10).aspx

    Then I read other documentation that reads the following:

    "On Windows Server 2008 R2, v2 templates can be used by a CA installed on Standard, Enterprise, Datacenter, Foundation and Server Core Editions" - http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx

    I am able to create/duplicate version 2 and 3 templates in my certifcate template console and they replicate to my other domain controllers, so I don't think it's a schema issue. However, they always show a minimally supported CA of 2003 or 2008 Enterprise and never appear under my certificate templates folder when I connect to my CA using certsrv.msc.

    Any clarifacation or suggestions would be greatly appreciated.

    Friday, January 27, 2012 2:37 PM

Answers

  • Server 2008 Standard can only issue certificates based on V1 certificate templates.

    Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates

    Windows Server 2008 does not equal Windows Server 2008 R2

    This ability was introduced with the Windows server 2008 R2 sku

    you will have one of two choices:

    - Upgrade to Server 2008 Enterprise

    - Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise

    Brian

    • Proposed as answer by Brian Komar [MVP] Friday, January 27, 2012 2:47 PM
    • Marked as answer by Bruce-Liu Thursday, February 2, 2012 5:35 AM
    Friday, January 27, 2012 2:47 PM

All replies

  • Server 2008 Standard can only issue certificates based on V1 certificate templates.

    Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates

    Windows Server 2008 does not equal Windows Server 2008 R2

    This ability was introduced with the Windows server 2008 R2 sku

    you will have one of two choices:

    - Upgrade to Server 2008 Enterprise

    - Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise

    Brian

    • Proposed as answer by Brian Komar [MVP] Friday, January 27, 2012 2:47 PM
    • Marked as answer by Bruce-Liu Thursday, February 2, 2012 5:35 AM
    Friday, January 27, 2012 2:47 PM
  • Brian Komar, thank you for the answer!

     I have another question. In Training Kit (Exam 70-640) described: "Enterprice CAs can run only on Windows Server 2008 R2 Enterprise edition  or Datacenter edition". Is it true? If yes, how we can issue certificate based on V3 certificate templates on Windows Server 2008 R2 Standard?


    • Edited by ITsnik Wednesday, February 8, 2012 6:58 AM
    Wednesday, February 8, 2012 6:57 AM
  • The training kit is incorrect. It probably was updated from Windows Server 2008 (or Windows Server 2003) where the statement was correct

    Brian

    Wednesday, February 8, 2012 12:30 PM
  • thank you, Brian. You helped me dispel my doubts )
    Wednesday, February 8, 2012 10:08 PM
  • Okay, so on this same note, I'm looking at a practice test type question for the 70-640 exam that shows the server runnning Windows Server 2008 R2 standard, and mentions that when you set up the Enterprise Sub Certificate Authority, the Enterprise Sub CA option is not available.  The mulitple choice solutions are: a. upgrade to enterprise; b. run server manager as an admin; c. import the root CA; d. Join the server to the domain.

    I had thought it was "A" because of the enterprise 2008 issue, but if this is changed in standard R2 ... looking at the fact that the info shows the Workgroup to be "WORKGROUP," I am inclined to answer D.  Is this right?  Or should it still be A?

    Tuesday, February 21, 2012 7:03 PM
  • This forum is for helping people with real world PKI and security issues. It is not a study board <G>

    That being said, D would be my answer. Based on some of the other things I have heard about the exam, that may not be the answer they are looking for ;-)

    Brian

    Tuesday, February 21, 2012 8:15 PM