LDAP/S

[Bob Weiner]

I haven't run a CA before and want to know if there will be any side-effects
to setting one up to support LDAP/S. I have a Win2k3 domain.

One of our linux guys wrote a password changing routine to update users'
windows accounts which runs from a linux box. Of course, this routine could
have been easily written on the windows side and made available but ...

Anyway, he now wants a CA installed in the domain to support LDAP/S which is
needed to make the password update. Is this something I can do quickly
without impacting either the domain as it exists now or our ability to
implement a proper pki structure later?

I'm not looking for someone to explain how to do it; I sure I can find info
on that. All I need to know is <b>IF</b> I pull out a how-to article on
installing a CA and do it with minimal understanding, will I regret it
later?

thanks,
bob

 

[Steven L Umbach]

A Certificate Authority can be very useful in the domain. If possible
install it on a Enterprise version of Windows 2003 Server so that you can
install an Enterprise Certificate Authority that will be able to take
advantage of version 2 templates and autoenrollment for XP Pro computer and
users. Keep in mind that you want your root CA to be physically secure to
minimize possiblity of compromise of your PKI. You also want to make sure
that for now only certificates you want issued are issued. You can do such
by modifying the permssions on the certificate templates. A user/computer
needs enroll permission to obtain a certificate. --- Steve

http://www.microsoft.com/technet/security/prodtech/windows2000/secmod154.mspx

 

[Bob Weiner]

got on a tangent and forgot I posted the question.

Thanks!
bob