- Obtaining a certificate on Windows Server without IIS
- CA Web Enrollment
- Determining the type of CA (standalone or AD integrated)
- Another option is
certutil -CAinfo
– look for CAType.
- Another option is
- Difference between Standalone and Enterprise (AD integrated) CA. In case of Enterprise CA:
- Cert is automatically pushed out to all machines.
- Configuration is stored in AD:
CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain
. - CAs and their certs can be found via AD itself:
CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain
. - Requesting a new cert is easy (IIS for instance has an option to request domain certificate). Plus renewal happens automatically.
- Can define templates, which are stored in AD itself, and can be used to create new certs.
- Can archive the private key in AD?