PKI Issuing CA on Domain Controllers

Posted by dunxd on Server Fault See other posts from Server Fault or by dunxd
Published on 2010-12-30T11:25:42Z Indexed on 2010/12/30 11:56 UTC
Read the original article Hit count: 374

Filed under:
|

I am setting up a PKI which will initially be used internally. As we may grow our use of this I have opted for a three tier hierarchy - Offline Root and Policy CAs (one Policy CA at the moment for internal use), and online issuing CAs. We had initially discussed using our Domain Controllers as the Issuing CAs rather than setting up dedicated ones.

I am now starting to have doubts about whether it is a good idea to have our DCs do certificate issuing. We have less than 1000 users, so our DCs aren't hugely taxed.

Does anyone have any suggestions for or against doing this?

We are currently running Windows 2003 Active Directory, but will be upgrading to Windows 2008 in the coming year. I'm setting up Windows 2008 PKI.

© Server Fault or respective owner

Related posts about active-directory

Related posts about pki