none
Certificate Services, install on domain controller?

Answers

  • On Mon, 6 Sep 2010 20:37:49 +0000, HendersonD wrote:

    I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen.

    If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally.

    If you already have certificates that can be used for these devices then
    there's no compelling need to stand up a CA just to get rid of those error
    messages. I'm assuming that these are some kind of self-signed certificates
    and if that's the case then you can either send copies of the certs to
    those who need them and they can manually import them to the Trusted Root
    Certification Authorities store on their local computers, or, you could
    create a GPO and distribute them that way.


    I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea.

    Installing any additional role on a domain controller is not good from a
    strict security perspective in that you want to try to minimize the attack
    surface on your DCs. With AD CS you have another problem in that you cannot
    remove Active Directory (in the event you want to decommission a DC for
    example) without first removing AD CS from that DC.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 9:16 PM
  • Hi,

    It’s relative easy to build a CA in small environment. Please refer to the following guides:

    Building an Enterprise Root Certification Authority in Small and Medium Businesses
    http://technet.microsoft.com/en-us/library/cc875810.aspx

    Active Directory Certificate Services Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 08, 2010 10:23 AM
    Moderator

All replies

  • What is best practice for where certificate services should be installed? On my primary domain controller? On one of the other domain controllers? On a separate member server dedicated to this service? I have found the following articles on installing this service but it does not mention where it should be installed.

    The best practices for the Active Directory certificate services:

    1- You should use Secondary Enterprise CAs to issue and manage certificates.

    2- The Enterprise Root CA should be kept offline

    The Enteprise Root CA should be kept offline because of the following:

    Let's suppose a hacker attacked an Enterprise Secondary CA. In this case, you can revoke its certificate so that all the certificates issued by this CA will be revoked.

    Let's suppose a hacker attacked an Enterprise Root CA. Here, you may be in big problems.

     

    So, in your case, I recommand to you to:

    1- Install the Enterprise Root CA on a server that ensure no services

    2- Install your Enterprise Secondary CAs that will issue and manage certificates. (You can use a new server, there is no problem with that)

    3- Keep offline your Enterprise Root CA once you installed and certified all your Secondary CAs.

    So, there is no need to install the AD CS on domain controllers. You should just keep in mind what I told you.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     

    Monday, September 06, 2010 2:51 PM
  • On Mon, 6 Sep 2010 14:51:10 +0000, Mr  X wrote:

    2- The Enterprise Root CA should be kept offline

    An Enterprise CS cannot, by definition be offline.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 3:01 PM
  • On Mon, 6 Sep 2010 15:01:44 +0000, Paul Adare wrote:

    An Enterprise CS cannot, by definition be offline.

    CS should be CA.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 3:04 PM
  • I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen.

    If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally.

    I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea.

    Your thoughts?

    Monday, September 06, 2010 8:37 PM
  • On Mon, 6 Sep 2010 20:37:49 +0000, HendersonD wrote:

    I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen.

    If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally.

    If you already have certificates that can be used for these devices then
    there's no compelling need to stand up a CA just to get rid of those error
    messages. I'm assuming that these are some kind of self-signed certificates
    and if that's the case then you can either send copies of the certs to
    those who need them and they can manually import them to the Trusted Root
    Certification Authorities store on their local computers, or, you could
    create a GPO and distribute them that way.


    I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea.

    Installing any additional role on a domain controller is not good from a
    strict security perspective in that you want to try to minimize the attack
    surface on your DCs. With AD CS you have another problem in that you cannot
    remove Active Directory (in the event you want to decommission a DC for
    example) without first removing AD CS from that DC.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 9:16 PM
  • The problem is these devices cannot generate a self signed certificate. This is the reason I thought about standing up another server just so I can installe Certificate Services and issue self signed certificates. When I had only one device (site) that gave this message it was no big deal. Now I have 6 devices that all have web interfaces and when visiting these interfaces my staff and I are always hit with the security message.
    Tuesday, September 07, 2010 2:02 PM
  • Hi,

    It’s relative easy to build a CA in small environment. Please refer to the following guides:

    Building an Enterprise Root Certification Authority in Small and Medium Businesses
    http://technet.microsoft.com/en-us/library/cc875810.aspx

    Active Directory Certificate Services Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 08, 2010 10:23 AM
    Moderator
  • I know I am a more than a little late to the party, however, it would seem that, from my understanding of virtualization, this would be a prime opportunity to use such. It would seem that you could put a virtual server in place to perform as your CA. I am a novice at the whole vrtualization stuff and have been out of the server arena for quite a while, but I would think your best option here to pool multiple servers to serve as a cluster hosting multiple virtual servers? That is, if I understand the whole architecture bit correctly.  My understanding is that you can take X number of physical servers to create what would functionally be one big server to host any number of virtual servers?  I am all ears to any better information.

    Mike


    Mike
    Wednesday, April 27, 2011 11:01 AM
  • Hi there,

    I am very late to the party.

    I would advise against installing a root CA on a domain controller for the same reasons as some others, here. See https://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx

    Now, I would advise against using Windows Server, in this scenario, though.

    Get a desktop, a decommissioned one would do fine. Install *nix on the box with openssl or libressl (I will go on with openssl, from now), does not really matter which. Use openssl to create your private key and any certificates you need. If you need secondary Windows CA's in your data center, that is fine, use openssl to create the certificates for them. You keep the system offline, as in, NOT connected to a network. If you leave it turned on or not does not really matter.

    The important thing is you make a backup of the private key as generated from openssl and you store that in a very safe place ... you should probably make two and store them at two different banks.

    Every now and then, you backup the private key and ensure that certificates generated with it are still trusted - just to be sure you have the good private key and it has not been tampered with.

    Should the system fail some time down the road, you still have that private key and can use it in a new *nix box with openssl to generate trusted certs.

    Just my $0.02

    Why anybody pays a Windows Server license for an offline box is beyond me ... really
    • Edited by thecarpy Friday, September 30, 2016 1:51 PM I had to remove the name of a famous finish OS to be able to post this comment
    Friday, September 30, 2016 1:50 PM