Hello, I was advised to post my questions here as they are security related and might be better suited to this forum. We have a Windows 2000 domain (hopefully going to 2008 R2 this year finally!) that consists of (2) Windows 2000 domain controllers and (2) Windows 2003 domain controllers. We recently acquired a single sign-on appliance (Imprivata) that requires that Active Directory have SSL enabled to allow password changes. We do not have a PKI environment at present. While I'm sure a PKI would be best suited for this, I think it would probably be better to wait until our domain was upgraded to 2008 R2. Additionally, I need a solution ASAP, and I don't think I can setup a PKI environment according to Best Practices in the time that I have. Given this information, here are my questions: 1) Assuming I use a 3rd party CA (Verisign, Thwate, Godaddy, etc.), do I need to install an SSL certificate on each domain controller - can I possibly point the single-sign on appliance to one domain controller and that would suffice? 2) Assuming I only installed the 3rd party CA on one DC, how would my Windows clients interact with that one DC that has the SSL cert installed? Would they automatically accept the SSL certificate somehow, or does each Windows client in the domain need to import the certificate? 3) Is there any reason you would NOT recommend using a 3rd party CA for this situation? 4) After I install the 3rd party CA and later decide to implement a PKI, what do I do about the 3rd party CA that was installed on the domain controller(s)? Thanks!

Hi, Please check my answer below: 1) Assuming I use a 3rd party CA (Verisign, Thwate, Godaddy, etc.), do I need to install an SSL certificate on each domain controller - can I possibly point the single-sign on appliance to one domain controller and that would suffice? Yes, you need to request a certificate for each domain controller unless you want the single sign-on appliance to locate only one specific domain controller. 2) Assuming I only installed the 3rd party CA on one DC, how would my Windows clients interact with that one DC that has the SSL cert installed? Would they automatically accept the SSL certificate somehow, or does each Windows client in the domain need to import the certificate? The client computers must trust the CA that issues the certificate. For more information, please refer to the following article: How to enable LDAP over SSL with a third-party certification authority http://support.microsoft.com/kb/321051 3) Is there any reason you would NOT recommend using a 3rd party CA for this situation? It is fine to use a 3rd party CA. However, you need to ensure that the client computer trust the CA and the CRL is accessible. 4) After I install the 3rd party CA and later decide to implement a PKI, what do I do about the 3rd party CA that was installed on the domain controller(s)? You can keep the certificate or remove it if it is being used. You can refer to the “Multiple SSL certificates” and "Windows Server 2008 improvements” sections of the KB article for more information. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, How are you? I've not heard back from you in a few days and wanted to check if you need further assistance. If there is anything unclear, please do not hesitate to respond back. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Joson, I've configured my post to alert me when someone responds, but it never seems to work. Sorry about that. Thank you very much for responding to my questions - I think you've addressed them all. As I'm implementing this, I'm sure I'll run into some other issues. I'll be sure to post back here. -Mark

Hi Mark, Thanks for your response. I am glad to hear that the information is helpful. Please feel free to post in our forums if you need any further assistance in the future. Have a nice day. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights.

I have to revive this thread. Yesterday I went through the order process to purchase the 3rd party SSL certificates from Thawte for my four domain controllers. I received a call today from Thawte stating that they could not issue the certificates because the FQDN of my servers are not registered. My internal domain is vcare.us, and because ".us" is a public top level domain, I would need to register the domain name in order for them to issue the certificate. I'm really not sure what to do, since I don't want to register the name since the certificates will only ever be used for internal purposes. Any advice?

I have to revive this thread. Yesterday I went through the order process to purchase the 3rd party SSL certificates from Thawte for my four domain controllers. I received a call today from Thawte stating that they could not issue the certificates because the FQDN of my servers are not registered. My internal domain is vcare.us, and because ".us" is a public top level domain, I would need to register the domain name in order for them to issue the certificate. I'm really not sure what to do, since I don't want to register the name since the certificates will only ever be used for internal purposes. Any advice? this is bad dns design. .us is an internet top level domain. No CA will issue a certificate for an internet domain name that cant be proved to be owned by the end user. Imagine what would happen if they did Someone later may buy vcare.us, and then they may want a CA to to generate certificates for them, as they are a ligitimate owner of this domain. If the CA was also generating them for you at your request, you would effectively be able to 'spoof' the identity of this domain. You only have 2 choices. 1. buy the domain name. you dont actually have to use it for anything, but if you own it, then you can get your CA to generate certs for you using that name 2. change your internal tld to something not in use on the internet. most people us .int or .ad or something like that. Personally i think the first option is pretty easy and low cost and it gets you where you need to go.