PKI Issuing CA on Domain Controllers
Posted
by
dunxd
on Server Fault
See other posts from Server Fault
or by dunxd
Published on 2010-12-30T11:25:42Z
Indexed on
2010/12/30
11:56 UTC
Read the original article
Hit count: 374
active-directory
|pki
I am setting up a PKI which will initially be used internally. As we may grow our use of this I have opted for a three tier hierarchy - Offline Root and Policy CAs (one Policy CA at the moment for internal use), and online issuing CAs. We had initially discussed using our Domain Controllers as the Issuing CAs rather than setting up dedicated ones.
I am now starting to have doubts about whether it is a good idea to have our DCs do certificate issuing. We have less than 1000 users, so our DCs aren't hugely taxed.
Does anyone have any suggestions for or against doing this?
We are currently running Windows 2003 Active Directory, but will be upgrading to Windows 2008 in the coming year. I'm setting up Windows 2008 PKI.
© Server Fault or respective owner