Options

I dont really "get" certificates and CA's

tdeantdean Member Posts: 520
in MCTS / MCITP on Windows 2008 General
icon_sad.gif

do end users really understand how to do this? accepting certificates and adding ca sites to allowed site list etc.... the places ive worked, people dont know the difference between logging on locally and to the domain...

im sure im missing somehting here.....
· Share on FacebookShare on Twitter

Comments

  • Options
    mad82mad82 Member Posts: 18 ■□□□□□□□□□
    For the most part the end user shouldn't ever have to worry about it. You publish your internal CA into the trusted root store through GPO so all those web certs that you use for internal sites are trusted automatically and they don't get prompted. Working with a another company and need your uses to accept their certs? Do the same thing with their root ca (be sure you really do trust the other company).

    You can also allow automatic enrollment of computer certificates and user certificates. EFS for encrypting files can be handled automatically so they don't have to go out for it. Set it up so there is a recovery agent though or you'll get in trouble when they encrypt the payroll and can't access it later. If they need to allow other users to access the encrypted files, you can show them how to add them (as simple as right clicking, properties, some other stuff, type in that user's name).

    Once autoenrollment of user certs goes on, they can sign documents like pdfs with them.

    But it all starts with importing your root CA's certificate into GPO. After that the only people working with the CAs will be admins or maybe developers needing to sign code.

    edit: I really love pki stuff. back when I was in school the concept of one way keys and what all you could do with them fascinated me so when I got to roll out an entire PKI system for my last job, I was having a blast. They never got around to doing it but you can use machine certificates with SCCM for secure deployment of software, or for EAP-TLS for wireless authentication. I could work with PKI all day and be perfectly happy. I'm such a geek but it's one of those techs that I really enjoy working with.
    · Share on FacebookShare on Twitter
  • Options
    BradHBradH Member Posts: 160
    I think from memory CBT Nuggets did a good Certificate overview for 70-640. Might be a good one to check out. It's not all that hard once you do it once or twice and GPO's make it 100 times easier to get your cert out there in your network.

    642 had a couple of questions on certs to from memory but 640 had a focus on AD DS - Certificate Services hence look at CBT's 640 info.

    Also see Claymores 640 information as he has posted heaps of references on Certificate services for 2008

    http://www.techexams.net/forums/mcts-mcitp-windows-2008-general/42880-70-640-resources.html
    EA Path - 70-643 - Passed - 70-680 - Passed - 70-647 - To Complete
    · Share on FacebookShare on Twitter
  • Options
    tdeantdean Member Posts: 520
    thanks for the help guys. good explanation mad... i really want to get into the pki stuff.
    · Share on FacebookShare on Twitter
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You want it, huh? How bad? ;)
    · Share on FacebookShare on Twitter
  • Options
    tdeantdean Member Posts: 520
    dynamik wrote: »
    You want it, huh? How bad? ;)
    icon_surprised.gif

    and only 700 pages!!!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.