locked
Question regarding certificate services for NAP and Exchange RRS feed

  • Question

  • This one is a bit odd.  I'm trying to design a NAP infrastructure (for 802.1x and Security Health Agent only, no IPSEC), and am also having to implement Certificate Services.  I only have a moderate amount of CS knowledge, but that makes me an expert in my office. 

    Anyway, our Exchange admin is also trying to deploy CS for use with Exchange and OCS.  Just as NAP servers need certs, so do Exchange and OCS servers.

    The problem I have is that the Exchange admin says that Exchange/OCS needs to have a separate certificate infrastructure from NAP.  Specifically, he says that he read that the issuing server that issues the certs to Exchange/OCS cannot be the same issue server that issues certs to the NAP servers.

    Does this sound right to anyone else?  They way we are going, we're going to wind up with two independent certificate infrastuctures in the same Windows forest, a NAP-centered CS based on the root of the forest, and an Exchange/OCS-centered CS based in a child domain.  This sounds very wrong to me.
    Tuesday, August 18, 2009 8:24 PM

Answers

  • Hi,

    I think your Exchange admin may be reading about the NAP IPsec enforcement method, which does recommend that the NAP CA only issue NAP certificates. These "NAP certs" for the IPsec enforcement method are short-lived (4-24 hours usually) "health" certificates, so that is why you need to worry about the load on the NAP CA. 

    The situation is different for 802.1X because the only cert you need here are long lived computer certs (~1 year validity). I don't see why you would need a different CA for NAP vs. Exchange in this scenario. You probably need different certificates, but using the same CA to issue both certs should be OK. I'm not an expert on Exchange certificates, however.

    -Greg
    Wednesday, August 19, 2009 9:10 PM

All replies

  • Hi,

    I believe you are using Active directory certificate services for certificate authority. Technically it should be possible for you to use the same certificate server for both exchange and OCS. We haven't tested this setup in our lab. But that said, you might need to check on the scalability of the certificate server on how far it can scale.

    The load from NAP on the certificate server would depend on the number of access requests the NAP Server gets.

    Thanks,
    Srinivasulu.

    Tuesday, August 18, 2009 11:06 PM
  • Hi,

    I think your Exchange admin may be reading about the NAP IPsec enforcement method, which does recommend that the NAP CA only issue NAP certificates. These "NAP certs" for the IPsec enforcement method are short-lived (4-24 hours usually) "health" certificates, so that is why you need to worry about the load on the NAP CA. 

    The situation is different for 802.1X because the only cert you need here are long lived computer certs (~1 year validity). I don't see why you would need a different CA for NAP vs. Exchange in this scenario. You probably need different certificates, but using the same CA to issue both certs should be OK. I'm not an expert on Exchange certificates, however.

    -Greg
    Wednesday, August 19, 2009 9:10 PM