Installing CA on office Server ok?

mr2nut

I'm wanting to test out this CA and PKI stuff for my exam and would like hands on practise. I've got a main Server in my works office that is used for file serving and E-Mail as well as IIS. It currently doesn't have CA installed under admin tools. What would be the implications of me installing this tool on this Server? Would it screw everything up for everyone else whilst I was testing between my PC and the Server sending/receiving certificates, or would it only take effect and ask for authentication for files/emails etc. for people who decide to use it (i.e. me) or will it apply to everyone?

Essendon

I wouldnt apply anything related to my lab testing on the production network whether it made a difference to others or not. Can I ask why you want to install CA in your company's network?

BTW, I cant comment on the actual question, havent read the CA/PKI section yet.

mr2nut

MobilOne wrote:

I wouldnt apply anything related to my lab testing on the production network whether it made a difference to others or not. Can I ask why you want to install CA in your company's network?

BTW, I cant comment on the actual question, havent read the CA/PKI section yet.

It's because when I have spare time in the office i'd like to keep learning and make the use of our technology here and I find it far easier to learn these boring MS books when doing the lessons in a real environment as it sinks in more.

It's no particular question, I just want see how this CA works as i've not had to use it before, always used PPTP VPNs and never used any IPSEC security for things as i've never really had to.

Essendon

mr2nut wrote:

It's because when I have spare time in the office i'd like to keep learning and make the use of our technology here and I find it far easier to learn these boring MS books when doing the lessons in a real environment as it sinks in more.

+1 to that. What I have at my work desk is a couple of boxes running Server 2003 and a few VM's. Maybe you can rig up something similar and do your testing on that.

mr2nut

I suppose I could put VMware on my PC and do it that way. I've not used that for years! I could have to windows open and set some Network adapters up and do it that way. I suppose it's just like having a Server and a client anyway, nice one.

Essendon

VMWare's the way to go. Plus it's the product used in actual networks, so you atleast have some knowledge of the product. In addition, you can break/fix all you want. Obviously cant do that in production, can ya?

mr2nut

MobilOne wrote:

VMWare's the way to go. Plus it's the product used in actual networks, so you atleast have some knowledge of the product. In addition, you can break/fix all you want. Obviously cant do that in production, can ya?

Definately not

I've actually just installed Virtual PC 2007 as were a Microsoft Partner we get that for free. That will do the same job if I have to virtual partitions on my PC and run Server2k3 and an XP client, I should be able to log in and test the CA and other bits. It shouldn't interfere with our other Server aslong as I don't do a dcpromo on it right? I'll put it on a different ip range/subnet anyway to make sure.

Essendon

By all means DCPROMO it. Just put it on a different subnet and dont configure a NAT router in Virtual PC (I aasume you can do that, I havent used it). That'll prevent your VM's from getting out to your corporate network.

mr2nut

Ok i've got a 2k3 server and xp pro client running now on a test subnet. I've installed CA and it's now running with a test CA...... my problem is, what exactly can I do now? I've NEVER used it before and wondering what I can do to test things such as file transfers etc.

Mishra

Setup your CA roles. You need to setup the 3 tier design they provide in the book.

mr2nut

Mishra wrote:

Setup your CA roles. You need to setup the 3 tier design they provide in the book.

I've put an enterprise active directory CA called test and then gone to a client machine and done http://10.0.0.1/certsrv, or do you only use the website manually if your not using active directory? If so, how do you send out certificates through active directory or is it automatic? Also, how can you see if a users machine is using certificates and what for?

dynamik

You can still request certs manually if AD is present. If you want to do things automatically, research autoenrollment.

Start > run > mmc and load the certificates (might be called something slightly different) snap-in to view certs on a client machine.

Also, I don't think you need the three tier model when you're simply playing around. That's just best practice in larger organizations. Set it up if you can get that many VMs running.

Just FYI, best practice for root CAs is to make them stand-alone and take them offline.