PKI Management

dave-lew99 · 4 May 2010 at 20:26

I'm in the process of doing the discovery work on PKI management, i've come to the conclusion that a Win server Enterprise CA works the best...

..however, as far as i can work out, only Enterprise editions of server 2008/2003 will work for things like issuing certificates to Apache webservers (via the manual methods)

I'm just wondering what other people use?

We currently have no windows server and were investigating deploying SBS2008 so the Enterprise edition would be a bit of a stretch from there.

In the Windows CA services can you export the CRL and publish it elsewhere?

brainchylde · 4 May 2010 at 22:28

Our PKI infrastructure is 2-tier, which is adequate for most places, but depends on how big and complex your company is. There is quite a lot to consider if you want to do it properly - the preparation work can take a while.

You set up the CA with publication points (CRL & AIA) - one of these could be a website (http://certs.yoursite.com/AFolder) - you can also publish into Active Directory, for example.

How many apache web servers do you have? It may be just cheaper and easier for you to purchase certificates.

On a side note - you have me on MSN, get in touch and I can send you something useful.

dave-lew99 · 5 May 2010 at 17:43

It's probably 6 or so Apache servers - but they are all internal and it feels wrong to buy in public certificates for a http://server.company.local!

I'd be looking at issuing user certs and stuff too, if it comes to it, i can do what i've been doing and just use OpenSSL and it's associated scripts - it's a pain but it works.

PKI Management

dave-lew99

dave-lew99

brainchylde

brainchylde

dave-lew99

dave-lew99