Combining standalone and Enterprise CAs advice

[Tim Guy]

I am looking to put a Certifcate server into a customers for a 802.1x
solution.

It will be two servers giving out computer certifcates through the AD and
user certifcates via web certsrv.

If the customer wanted to take that certifacate setup and use it for mail
and external certifactes what would I need to do combine the two?

Would I need another seprate server as a standalong server with a third
party root key seprate to the enterprise CA or can it be combined on the two
servers I already have?

Also, does it have to be done now while the Enterprise CA is being install
or can it be added later?

Cheers

Tim

 

[Laudon Williams [MSFT]]

This is a pretty broad question, but I can give you some general advice.
- S/MIME - if it will only be used internally, you can use a private root.
If you want to use it externally *without having to exchange root
certificates* using a public root may have advantages.
- A public root can sign an Enterprise CA or a Standalone CA
- There is no reason to buy 802.1x certificates from a public root.

You may end up with a heirarchy that has a private root with an issuing CA
that issue authentication certificates, and a issuing CA that chains to a
public root for S/MIME.