Q

Why standalone certificate authorities are more secure

Microsoft recommends installing a standalone certificate authority when there is no Active Directory domain, and automatic deployment of certificates to users and computers is not required. SearchExchange.com expert Richard Luckett explains why this approach is best for security.

I understand that Microsoft only recommends installing a standalone certificate authority when you do not have an Active Directory domain, and automatic deployment of certificates to users and computers isn't required.

If someone wants to take advantage of the enterprise certificate authority, but wants the best security, can the

certificate authority be placed on the internal network (thereby requiring the ISA server to be a member of the internal domain)?

It seems to me that you have two lines of thought converging here. One is trying to figure out how to deploy your enterprise certificate authority (CA) in the most secure fashion, and the other has something to do with ISA. I think I know where you are headed, so I'll give it a shot.

Microsoft recommends deploying a standalone certificate authority to protect the root certificate authority from being compromised. Standalone certificate authorities can be taken offline (when they are not being used to generate certificates) which helps to protect the validity of your root certificate authority. The workload of deploying user certificates can be done by subordinates while the root certificate authority is offline. Subordinate certificate authorities can be member servers of the domain and can be used for automating the deployment of certificates.

How can ISA help? ISA can prevent any external users from accessing the certificate authority. And depending on how you configure ISA, it can even help you protect your certificate authority from internal users as well.

I hope this helps. Please respond with a comment to this answer if I'm way off base here.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Reference Center: ISA Server
  • Reference Center: Permissions and authentication


  • This was first published in November 2005

    Dig deeper on Microsoft Exchange Server Permissions

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close