none
Certificates RRS feed

  • Question

  • Hello,

    I understand how certificate works when we buy from any reputed company. 

    Now my question is. When we deployed our own Microsoft Windows Server 2016/2012 as a CA. then why we need to issue certificate to client computers or users?

    In live environment. when we access any https site then we dont have any certificate and we can identify the certificate, it is valid or trusted or not. thanks

    Regards

    Thursday, February 8, 2018 7:19 PM

Answers

  • Hi Chapter7,

    You did at the moment of generating the CSR. At that point, the application generated the private/public key pair, kept the private key, and processed the public key into the CSR. When you import the certificate back into the application that generated the CSR, it should recognize the combination with the private key and start using the combined whole.

    • Marked as answer by chapter 7 Thursday, February 15, 2018 1:56 AM
    Wednesday, February 14, 2018 8:21 AM

All replies

  • I have no clue what exactly you are asking?

    You might want to reword your question to provide a better over all picture of your issue?

    For Computer Certificates, and endpoints (domain joined systems) they will have your Enterprise Root CA (Or Sub CA depending on how you deployed your Enterprise CA in your domain) in their trusted root CA store.

    As for you question on HTTPs sites, you have to create a CSR from said Web Server (which should generate a key pair on the front end server) Sign it by your CA (either via the MMC Snap-in or WebEnrollment). Import the Certificate back to the Web Front end server and bind the certificate to the ISS web site's binding parameters Generally the port 443 binding.

    This stuff doesn't exactly work automatically like the deployment of the CA certs...

    The same thing pretty much goes for external Certificates. Unless you are used to using Wild Card certificates with a common private key that you have been importing on all existing web servers (generally not the best but is common practice in industry).

    Best thing to do is usually have any external facing websites signed by your external CA, and any internal facing web sites you manage your own certificates via WebEnrollment or the MMC Snap-in.

    • Edited by Zewwy Thursday, February 8, 2018 7:36 PM
    Thursday, February 8, 2018 7:34 PM
  • My question is simple.

    When we deploy our own Windows Server as a CA. What are benefits when clients computers and users get certificates from the CA.

    I think Certificates need only for web applications like web server, mail server, sharepoint etc.

    Why client computers and users get certificates from CA? they are not serving any services.


    • Edited by chapter 7 Friday, February 9, 2018 6:57 PM
    Thursday, February 8, 2018 11:37 PM
  • That's a good question, I'm working on a PKI project, my initial use was more for internal websites. I know systems eventually get certificates (for what exact purposes and use I don't know off hand) but I'll look into it, and when I find out I'll update it.

    Thanks

    Friday, February 9, 2018 4:22 PM
  • External (internet-facing) devices in your DMZ hosting sites accessible by the public or external users are what you’d use certificates from well-known Certification Authorities like those made available in your local Windows OS certificate store such as GeoTrust, DigiCert, GoDaddy, Entrust, etc. The chain certs are widely available.

    All else internal can be managed by an internal CA to provide a large set of cryptographic services that would support your business functions.

    Here’s my quick list of those security services enabled by PKI includes:

    • Authentication of users, devices and services Encryption/secure exchange of keys and data:
      • Support for session-level encryption protocols (Secure Sockets Layer [SSL], Transport Layer Security [TLS])
      • Secure remote access to systems and application functions (VPNs, Secure Shell [SSH])
    • Encryption of data at rest (e.g., file encryption, S/MIME email encryption, and some forms of digital rights management [DRM])
    • Data integrity protection through digital signing (of documents, applications, and messages)
    • Control access to the network with 802.1x authentication
    • Approve and authorize applications with Code Signing
    • Protect user data with EFS Secure network traffic
    • IPSec Protect LDAP-based directory queries
    • Secure LDAP Implement two-factor authentication with Smart Cards
    • Protect traffic to internal web-sites with SSL
    • Implement Secure Email

    Perhaps this opens a little light to what is possible for you by deploying an internal PKI

    • Proposed as answer by Zewwy Thursday, February 15, 2018 5:10 PM
    Monday, February 12, 2018 6:13 PM
  • When I create CSR for certificate then CA will give me certificate with public key. How I will generate Private Key?
    Tuesday, February 13, 2018 12:45 AM
  • Hi Chapter7,

    You did at the moment of generating the CSR. At that point, the application generated the private/public key pair, kept the private key, and processed the public key into the CSR. When you import the certificate back into the application that generated the CSR, it should recognize the combination with the private key and start using the combined whole.

    • Marked as answer by chapter 7 Thursday, February 15, 2018 1:56 AM
    Wednesday, February 14, 2018 8:21 AM