Certificate testing

Got a little test Domain running and I have a domain controller running as Enterprise CA. I have a Windows XP test PC on the domain too as I was going to do some testing. Now, am I right in thinking that you don't use Certificates for local Domain authentication, but instead you use Kerberos and then use Certificates for external users who aren't part of your domain or trusted in your Forest?

I've been doing a lot of reading up on this PKI stuff lately and although i'm feeling a lot more comfortable with it now, I still want to clarify a few things if I can..

* Kerberos is used for internal authentication and encrpytion, and can be used for external VPN clients who are part of the domain.

*Certificates are used for external authentication and encrpytion mainly for L2TP VPNs for users who are not part of the domain/forest

That correct?

I'm fairly sure there are a few people on here struggling along with this stuff too :)


  • meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    Disclaimer: I'm also studying this atm and don't have the best understanding. With that out of the way.

    I believe Kerberos is only to authenticate the user to network resources (servers, etc).

    Certificates can be used internally and externally, a little more on external to follow. They provide non-repudation, encryption, and integrity. Non-repudation comes from digitally signing the communication (for instance, email). Packets can be encrypted using the your private key and then decrypted by the recipient using your public key which is included in your certificate.

    An internal CA really is not used when communicating externally, unless you have specific trusts set up between your domain and the recipient's. For external communications, you would obtain a certificate from a trusted third party such as Verisign or Thawte.
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
Sign In or Register to comment.