Main differences between Enterprise CA and Standalone CA ?

Hi,

one people in my team has made a project with a standalone CA but we
are thinking about installing an Enterprise CA as we are using Active
Directory.

We don't have any special needs actually but the advantage to have the
Enterprise CA is the auto-enrollment so we would like to install it for
the project and not anymore the standalone CA.

My question is, what differences should we have to know about the
installation of an Enterprise CA in place of a Standalone CA ? (or more
exactly what default options should I have to change on the Enterprise
CA to work as if I was using a Standalone CA?)

For example, I am thinking about changing the default value of
autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
certificate request status to pending).

But is there anything else ?

Thank you

--
Pascal

Paul
Tue Mar 25 06:00:20 PDT 2008

"Pascal" <pascal_t@nospam.hotmail.com> wrote in message
news:mn.cb307d833c005dee.70874@nospam.hotmail.com...
> Hi,
>
> one people in my team has made a project with a standalone CA but we are
> thinking about installing an Enterprise CA as we are using Active
> Directory.
>
> We don't have any special needs actually but the advantage to have the
> Enterprise CA is the auto-enrollment so we would like to install it for
> the project and not anymore the standalone CA.
>
> My question is, what differences should we have to know about the
> installation of an Enterprise CA in place of a Standalone CA ? (or more
> exactly what default options should I have to change on the Enterprise CA
> to work as if I was using a Standalone CA?)
>
> For example, I am thinking about changing the default value of
> autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
> certificate request status to pending).
>
> But is there anything else ?
>
> Thank you
>
> --
> Pascal
>
>

This would be best asked and answered in the security newsgroup.

I can tell you though if you move your CA, you will break your trust and all
certs issued will no longer be trusted and have to be re-issued by the new
CA you create. So be aware of that.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Pascal
Tue Mar 25 06:34:40 PDT 2008

Thank you Paul.

In our situation, no certificate has been delivered yet so no problem
for that.

We would like to know what are the differences (default settings)
between the enterprise and standalone CA.

Thanks
> "Pascal" <pascal_t@nospam.hotmail.com> wrote in message
> news:mn.cb307d833c005dee.70874@nospam.hotmail.com...
>> Hi,
>>
>> one people in my team has made a project with a standalone CA but we are
>> thinking about installing an Enterprise CA as we are using Active
>> Directory.
>>
>> We don't have any special needs actually but the advantage to have the
>> Enterprise CA is the auto-enrollment so we would like to install it for the
>> project and not anymore the standalone CA.
>>
>> My question is, what differences should we have to know about the
>> installation of an Enterprise CA in place of a Standalone CA ? (or more
>> exactly what default options should I have to change on the Enterprise CA
>> to work as if I was using a Standalone CA?)
>>
>> For example, I am thinking about changing the default value of
>> autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
>> certificate request status to pending).
>>
>> But is there anything else ?
>>
>> Thank you
>>
>> -- Pascal
>>
>>
>
> This would be best asked and answered in the security newsgroup.
>
> I can tell you though if you move your CA, you will break your trust and all
> certs issued will no longer be trusted and have to be re-issued by the new CA
> you create. So be aware of that.

--
Pascal

Jorge
Tue Mar 25 07:04:40 PDT 2008

Enterprise CA
* Certificate templates available
* Autoenrollment is possible
* Supported by AD environments
* Most of the times used for issuing certs to end-entities

Stand Alone CA
* No Certificate templates available (specific requests are required)
* No autoenrollment available (approval needed)
* Supported by AD environments and non-AD environments
* Most of the times used for root and policy CAs that are offline)

if you wanna know more about MS PKI, I suggest you start reading "Windows
Server 2003 PKI Certificate Security" from Brian Komar. Great book!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Pascal" <pascal_t@nospam.hotmail.com> wrote in message
news:mn.cb307d833c005dee.70874@nospam.hotmail.com...
> Hi,
>
> one people in my team has made a project with a standalone CA but we are
> thinking about installing an Enterprise CA as we are using Active
> Directory.
>
> We don't have any special needs actually but the advantage to have the
> Enterprise CA is the auto-enrollment so we would like to install it for
> the project and not anymore the standalone CA.
>
> My question is, what differences should we have to know about the
> installation of an Enterprise CA in place of a Standalone CA ? (or more
> exactly what default options should I have to change on the Enterprise CA
> to work as if I was using a Standalone CA?)
>
> For example, I am thinking about changing the default value of
> autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
> certificate request status to pending).
>
> But is there anything else ?
>
> Thank you
>
> --
> Pascal
>
>

Jorge
Tue Mar 25 07:54:34 PDT 2008

Hi
I suggest you to have a look at this:
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

It has everything you need to know
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Brian
Tue Mar 25 08:02:33 PDT 2008

Just adding a few things.



"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:eY285EojIHA.1164@TK2MSFTNGP02.phx.gbl...
> Enterprise CA
> * Certificate templates available
Actually, this is the only way of getting certificates. enrollment go/no go
is based on permissions on the template and the account used to submit the
request to the CA. You can, in a certificate template, imitate the policy of
the standalone CA, and pend the request for certificate manager approval.


> * Autoenrollment is possible
Just to make sure you have all the facts, you must have an enterprise CA
running on Enterprise Edition to use autoenrollment and V2 certificate
templates

> * Supported by AD environments
> * Most of the times used for issuing certs to end-entities
>
> Stand Alone CA
> * No Certificate templates available (specific requests are required)
> * No autoenrollment available (approval needed)
> * Supported by AD environments and non-AD environments
> * Most of the times used for root and policy CAs that are offline)
>
> if you wanna know more about MS PKI, I suggest you start reading "Windows
> Server 2003 PKI Certificate Security" from Brian Komar. Great book!
>

Thanks, 2008 version is coming out soon!
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "Pascal" <pascal_t@nospam.hotmail.com> wrote in message
> news:mn.cb307d833c005dee.70874@nospam.hotmail.com...
>> Hi,
>>
>> one people in my team has made a project with a standalone CA but we are
>> thinking about installing an Enterprise CA as we are using Active
>> Directory.
>>
>> We don't have any special needs actually but the advantage to have the
>> Enterprise CA is the auto-enrollment so we would like to install it for
>> the project and not anymore the standalone CA.
>>
>> My question is, what differences should we have to know about the
>> installation of an Enterprise CA in place of a Standalone CA ? (or more
>> exactly what default options should I have to change on the Enterprise CA
>> to work as if I was using a Standalone CA?)
>>
>> For example, I am thinking about changing the default value of
>> autoenrollment in the Enterprise CA ( Policy Modules/Properties/Set the
>> certificate request status to pending).
>>
>> But is there anything else ?
>>
>> Thank you
>>
>> --
>> Pascal
>>
>>
>