proposed implementation of an Enterprise CA

TheMSsForum.com: The Microsoft Software Forum

I have a few questions regarding a proposed implementation of an Enterprise
CA into our production environment, which Iâ??m hoping people can give me feed
back on. Iâ??ve read a lot of the Microsoft documentation on PKI, however
sometimes thereâ??s no substitute to real word experience etc.

The drive behind the need to deploy a PKI is the move to RADIUS Auth PEAP
MSCHAP v2 for our Wireless clients. Iâ??ve successfully created a test lab
using a CISCO 1100 Series AP, and one windows 2003 enterprise server running
AD, IAS, IIS 6 & Enterprise CA. We have ruled out the purchase of 3rd party
certificates for our IAS servers and wish to deploy a PKI.

Due to our size (under one hundred users) and our modest needs to initially
improve wireless security a three tier PKI seams overkill. We can also
easily physically secure our Enterprise CA in a secure data centre.

To Outline of our environment:

All servers running Windows 2003 Enterprise with SP1, all clients winXP pro
SP2

Site 1 (Secure Data centre)
1 x Enterprise root CA (proposed location)
2 x DC
1 x Exchange server

Site 2 (Office1) Connected to Site 1 via hardware VPN
2 x IAS Server
2 x DC
50 x Wireless Users (Access 802.1x - PEAP MSCHAP v2)

Site 3 (Office 2) Connected to Site 1 via hardware VPN
2 x IAS Server
2 x DC
50 x Wireless Users (Access 802.1x - PEAP MSCHAP v2)

Questions:

1 â?? Will the deployment of a Enterprise CA in our production environment
require any GP changes for DCâ??s and clients? As I understand it a single
tier CA publishes the certs to AD.

2 â?? Our exchange server has a Thawte SSL cert for RPC/HTTPS and OWA access.
Can we scrape this on renewal and issue our own from our Enterprise CA?

And if so will this only work for access via domain member machines and non
domain members will be required to install a cert from us?

3 â?? Once the Enterprise CA has issued the cert to the IAS servers thereâ??s no
â??continualâ?? traffic between the Enterprise CA and IAS servers? i.e. only if
revoked etc.

4 â?? I donâ??t need IIS on the CA as web enrolment is only needed for win2000
or non windows clients and all my clients are winXP pro SP2. Correct?

5 â?? A open ended question I know but any thoughts I guess - In my test lab
it was simply a case of installing the Enterprise CA, gpupdate and off I
went. Is there anything else I should be aware of when I go to production?

6 â?? Is the proposal sound for our needs?

If you got this far, thanks

Steve
Top