 |
 |
Seems like a preference thing to me. On the running your own CA side you've got: Cost/risk of running another service Benefit of auto-renewal The need to keep the CRL endpoint service running/available to all clients that require LDAPS On the use a 3rd party CA side you've got: Cost of figuring out how to request a cert with a SAN (but folks here offered assistance with that) Cost of keeping track of expiration & manually getting a renewed cert (we rebuild all our DCs with the latest OS which always comes out within 3 years, so never run into this) Seems you could pick either and be justified in the cost/benefit, and it's really just a preference for one over the other. Classic YMMV. :) From: [log in to unmask] [mailto:[log in to unmask]] On Behalf Of Andy Swiffin Sent: Tuesday, February 26, 2013 6:42 AM To: [log in to unmask] Cc: [log in to unmask] Subject: Re: [windows-hied]: Certificate Authority in an AD tree Hi, This: http://technet.microsoft.com/en-gb/library/cc772393%28v=ws.10%29.aspx and other guides we read seemed to be wanting us to do a lot of things we didn't see the need for. In fact just simply installing the CS role on DC is all we needed. We didn't want to use a 3rd party cert as described in 321051 because they're generally short lived and would have been more difficult to issue with a SAN for a "domain" (our AD domain) we don't "own". But yes, 321051 looks straightforward and we corresponded with someone locally about the idea, their advantage is that they'd called their AD domain the same as their owned internet domain. Cheers Andy ________________________________ From: James M Pulver [[log in to unmask]] Sent: 26 February 2013 13:15 To: Andy Swiffin; [log in to unmask]<mailto:[log in to unmask]> Cc: [log in to unmask]<mailto:[log in to unmask]> Subject: RE: Certificate Authority in an AD tree I'm not sure if I'm missing Andy's implication on the first point, but I found these instructions to be relatively simple and to work if you don't run your own CA: http://support.microsoft.com/kb/321051 -- James Pulver LEPP Computer Group Cornell University From: [log in to unmask]<mailto:[log in to unmask]> [mailto:[log in to unmask]] On Behalf Of Andy Swiffin Sent: Tuesday, February 26, 2013 6:34 AM To: [log in to unmask]<mailto:[log in to unmask]> Cc: [log in to unmask]<mailto:[log in to unmask]> Subject: Re: [windows-hied]: Certificate Authority in an AD tree Hi Thanks to those who responded to our requests for help on this with several helpful options. I just thought I'd summarise our findings in case anyone else is in our shoes: One site uses a "real" certificate in their LDAP servers, which we looked into but hit issues with our AD domain not being named the same as our "proper" domain name. We could have obtained a certificate but it would have been less easy and would then be shortlived (2 year). What we did find was that the microsoft instructions for this are way OTT and you can very simply install the AD certificate services role onto the appropriate DC and just issue a long life self signed certificate for the LDAP server. We've since used that to issue FIM certificates and this is quite adequate. The huge infrastructure that the documentation was leading us to seems to be totally unnecessary for what we want to do. Cheers Andy ________________________________ From: Andy Swiffin Sent: 14 January 2013 16:27 To: [log in to unmask]<mailto:[log in to unmask]> Subject: Certificate Authority in an AD tree When we started moving things over to AD, we were slightly surprised to find the LDAP servers don't do 636 out of the box and started looking at generating a certificate for them, only to find we had yet to install a CA. We've started to look into AD certificate services and its all a bit bemusing. It seems to be telling us that we need to do all kinds of stuff like install a separate server with the root CA on which is usually turned off, we need to have more servers as Enterprise subordinate issuing CAs, and more as Online Responders and on and on and on..... Is all this necessary? As I see it I want: a CA from which I want to issue a certificate for a LDAP server. (maybe two or three more as we migrate more things over to it), . <period!> Can I not do this on just one server, (one of the DCs), do I need all of this other stuff? All I want to do is secure an LDAP server. The University of Dundee is a registered Scottish Charity, No: SC015096 The University of Dundee is a registered Scottish Charity, No: SC015096