We want to set up in certificate services in our enterprise to support, among other things, smart cards, network access control, and WPA2-enterprise. I'm fairly intimidated by this, as it seems like there are a large number of ways to paint one's self into a corner, painfully. I'd like to have a fighting chance of getting it right, and not having to re-do my work later. Are there any good references which discuss not just the "mechanics" of setting up an enterprise CA, but also planning the architecture? Why I'd want to make certain choices vs. others? Not looking for spoon-feeding, just for solid guidance, best practices, and so forth. Thanks in advance.

Have a look to this Microsoft aticle named "Certificate Services Best Practices". Keep in mind that once you configured your root CA and your secondary CAs, it is recommanded to keep offline you root CA for security reasons. For more information about PKI (Public Key Infrastuctures), refer to this Microsoft link. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Do not follow the Microsoft best practices, I am not kidding. We did, we over architected as they instructued. What overkill. All you need is one single box solution, non of this offline CA stuff, trust me. Just install one single Root Certificate Authority online integrated to AD, and focus your efforts on issuing certificates. You want to spend your time securting your environment by giving out certs, not baby sitting your 3 tier certificate services architecture, PKI. The manual CRL updates you have to do every 6 months following MS best practices are a pain. We are in the fifth year of our setup and rebuilt it 3 times for various reasons including a mirror setup in the lab. A single box will work just fine with a whole lot less headache. You will find that even with one box certificates are still not as sexy as they are made to sound, there will be plenty of figuring out how to request them, install them, revoke them even with a one tier solution. Microsoft Keyboard User Microsoft Mouse User Microsoft Windows User Microsoft BING User (part time) Microsoft Internet Explorer User (expert level)