hi therein our company we'd like to set up a certificate server for several internal things now or in future.like https connections to internal iis-hosted websites, for our windows 7 clients, bitlocker, or other things.we have about 400 clients and 60 servers.so what do i have to consider, building up a certificate server.root certificate and sub certificates better then just one?what about recovery in case of a failure?revocation-url for clients in case of changes?do you have other ideas or some good guidance about this theme?thanks for any input.uerueluem

My best advice is to do some research first. This is a good place to start - http://technet.microsoft.com/en-us/windowsserver/dd448615.aspxAlso I'd highly recommend picking up Brian Komar's book - http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-usNote that I've got a bit of a bias when it comes to Brian's book as he's my business partner and I was the technical editor for the book.Paul Adare CTO IdentIT Inc. ILM MVP

Hi,Besides Paul's suggestion, the following guide could be helpful for you to implement PKI environment: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructurehttp://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx<!---->This posting is provided "AS IS" with no warranties, and confers no rights.

I strongly recommend a single server solution non of this over engineered three tiered stuff (offline root CA, offline policy CA, online issuing CA overkill) you don't want to spend 100% of your time on PKI do you, I respect Brian Komar and have read his book however this is one of the things we disagree on and I speak from experience with the three tiered stuff I support every day. Being a day to day system administrator you have a ton of other things to do I'm sure so just build an online AD integrated Certificate Authority server on a separate physical box, non of this virtual ____ either, so that it is not also a domain controller, even when you do this you will still spend plenty of time on certificate templates, auto enrollment, ad group policies, etc to make all of this work right, so keep it simple and good luck. Almost forgot, read up on a new feature called Online Certificate Status Protocol OCSP it potentially replaces the need for CRLs in Windows Server 2008 and Vista and above clients. Your CA would have to be Server 2008 not 2003.

You have a mistake in your last statement.OCSP does not replace the need for CRLs. The online responder must use CRLs to build it OCSP responses.Brian

hi greg, so is it then possible, to install multiple roles on one server? like the root certificate server and sub-CA, for example one certificate server for servers, one certificate client-pcs.any answers ready?thx.

> so is it then possible, to install multiple roles on one server? like the root certificate server and sub-CAno. You can install only one Certification Authority at one server.> for example one certificate server for servers, one certificate client-pcs.you need to install certificate services on separate servers.http://www.sysadmins.lv

thanks vadimisbut how can i then create an enterprise CA for several tarbet-based CA's?our fear is; in case we did a failure on the server-certificates, we just have to change the CA for all servers and the clients would not be affected. what you think about this design? does it make any sense, do differ the CA in several sub-CA's or is it even better to create just one CA for all type of clients?we're talking about 400 clients and 100 servers at all.we need the CA for internal stuff like intranet but also for wireless access. what we still dont know is, what we're doing in future, for example mail certificate (signature) or EFS/bitlock.additional reccomendations?

this really depends. It is strongly recommended to deploy at least 2 (two) Issuing Enterprise CAs in your forest. It is also recommended to deploy them in different sites. If one CA fails or connection to particular site is broken, You quickly will be able to add necessary templates to working and accessible CA. For high-availability you may consider to cluster your CAshttp://www.sysadmins.lv

ok, thanks for this information.i visited your website and i found some good information. and i found out, you're latvian! that rocks! :-D i was recently in riga, cesis and sigulda.back to our case. have you got a default list, what recommendations has to be done or thought about it before i create a CA? something like designconsiderations for a certificate authority? would be great.thanks.

Please check links above from Paul Adare and Joson Zhou. There you can find all required information. Actually this is too long subject to explain in forum.http://www.sysadmins.lv

I will speak loudly to the PKI bible that Brian and Paul put together. It was their book that allowed me to put in my infrastructure using 2003. I now have the 2008 book for when I do my migration from 2003. That is my project for this year, hopefully.