Re: Main differences between Enterprise CA and Standalone CA ?
![Paul Bergson [MVP-DS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Paul Bergson [MVP-DS]
news:mn.cb307d833...@nospam.hotmail.com...
> Hi,
>
> one people in my team has made a project with a standalone CA but we are
> thinking about installing an Enterprise CA as we are using Active
> Directory.
>
> We don't have any special needs actually but the advantage to have the
> Enterprise CA is the auto-enrollment so we would like to install it for
> the project and not anymore the standalone CA.
>
> My question is, what differences should we have to know about the
> installation of an Enterprise CA in place of a Standalone CA ? (or more
> exactly what default options should I have to change on the Enterprise CA
> to work as if I was using a Standalone CA?)
>
> For example, I am thinking about changing the default value of
> autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
> certificate request status to pending).
>
> But is there anything else ?
>
> Thank you
>
> --
> Pascal
>
>
This would be best asked and answered in the security newsgroup.
I can tell you though if you move your CA, you will break your trust and all
certs issued will no longer be trusted and have to be re-issued by the new
CA you create. So be aware of that.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Pascal
In our situation, no certificate has been delivered yet so no problem
for that.
We would like to know what are the differences (default settings)
between the enterprise and standalone CA.
Thanks
> "Pascal" <pasc...@nospam.hotmail.com> wrote in message
> news:mn.cb307d833...@nospam.hotmail.com...
>> Hi,
>>
>> one people in my team has made a project with a standalone CA but we are
>> thinking about installing an Enterprise CA as we are using Active
>> Directory.
>>
>> We don't have any special needs actually but the advantage to have the
>> Enterprise CA is the auto-enrollment so we would like to install it for the
>> project and not anymore the standalone CA.
>>
>> My question is, what differences should we have to know about the
>> installation of an Enterprise CA in place of a Standalone CA ? (or more
>> exactly what default options should I have to change on the Enterprise CA
>> to work as if I was using a Standalone CA?)
>>
>> For example, I am thinking about changing the default value of
>> autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
>> certificate request status to pending).
>>
>> But is there anything else ?
>>
>> Thank you
>>
>> -- Pascal
>>
>>
>
> This would be best asked and answered in the security newsgroup.
>
> I can tell you though if you move your CA, you will break your trust and all
> certs issued will no longer be trusted and have to be re-issued by the new CA
> you create. So be aware of that.
--
Pascal
Jorge de Almeida Pinto [MVP - DS]
* Certificate templates available
* Autoenrollment is possible
* Supported by AD environments
* Most of the times used for issuing certs to end-entities
Stand Alone CA
* No Certificate templates available (specific requests are required)
* No autoenrollment available (approval needed)
* Supported by AD environments and non-AD environments
* Most of the times used for root and policy CAs that are offline)
if you wanna know more about MS PKI, I suggest you start reading "Windows
Server 2003 PKI Certificate Security" from Brian Komar. Great book!
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Brian Komar (MVP)
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyF...@gmail.com> wrote in message
news:eY285Eoj...@TK2MSFTNGP02.phx.gbl...
> Enterprise CA
> * Certificate templates available
Actually, this is the only way of getting certificates. enrollment go/no go
is based on permissions on the template and the account used to submit the
request to the CA. You can, in a certificate template, imitate the policy of
the standalone CA, and pend the request for certificate manager approval.
> * Autoenrollment is possible
Just to make sure you have all the facts, you must have an enterprise CA
running on Enterprise Edition to use autoenrollment and V2 certificate
templates
> * Supported by AD environments
> * Most of the times used for issuing certs to end-entities
>
> Stand Alone CA
> * No Certificate templates available (specific requests are required)
> * No autoenrollment available (approval needed)
> * Supported by AD environments and non-AD environments
> * Most of the times used for root and policy CAs that are offline)
>
> if you wanna know more about MS PKI, I suggest you start reading "Windows
> Server 2003 PKI Certificate Security" from Brian Komar. Great book!
>
Thanks, 2008 version is coming out soon!