installing Microsoft Certificate Server

  • Thread starter Thread starter george d lake
  • Start date Start date
G

george d lake

Hi,
I have win2000 Server on a domain (ddd) and I need to install
Certificate Server on it.
Can I issue certificates for any domain (ddd, eee, ttt) etc?

Also, I get a message when I try to install. It says something like that
I cant add or delete this PC from a domain if I install the Certificate
Server.
This box has IIS and SQL running. it is also the main (and only) web
server we have.

Any help is appreciated.
 
In general, yes you can sign any request from any domain with your own CA.
The only thing is clients that don't have your root certificate in their
store under Trusted Root Certification Auth. won't trust sites that are
protected by certificates signed on your CA no matter what domain name you
use. Client will be warned about certificate not being trusted and will have
to click YES to continue.

Server that is also CA server can't be renamed or joined/disjoined from
domain. If you change e.g. CA server name you will have to reissue all the
certificates...

To give you more information we would have to know the purpose of this CA
(its main and other roles)...
 
Ok, here are the details
We have a domain XYZ that is where all the uses are and do the NT auth.
(PDC, BCD) This is a NT4 Network with NT4 Workstations, a few 2000 Pro and a
growing number of XP pro.

The web server is in the XYZ domain, but all the sites are mysite.ABCDomain
(Why? I have no clue)
So the question is, the users auth on the XYZ domain and view sites on the
ABC domain. Is there any problem with this?
And If I install CS on the IIS Server that is on the XYZ domain, will it
cause any problems to that server.

We need to add SSL to some pages that are viewed in the INTRANET, so there
will be no external access.

I hope this helps.
thanks.
George.
 
Hi George,

Yes, you can make this work. So your main purpose is to create secure (SSL
protected) sites. You will only have some work to do to import Root
Certificates to every PC to prevent it from displaying Security Alert
telling people that this site is not trusted. Reason for this as I explained
is, this will be your own CA and clients won't know anything about it till
you import the Root Certificate.

The only thing I would like to warn you about is to protect your CA server.
Don't expose it to the internet... It should only be accessible from your
internal network.
 
Back
Top