IT Professionals

Certification Success – The Standalone CA Versus The Enterprise CA

Posted by on Oct 19, 2004 | 4 Comments

Security is definitely a hot topic – both in the workplace and on Microsoft exams. You definitely have to study the different security features that can be implemented. One such feature is certificate authorities (CA), and you can expect to encounter a few exam questions pertaining to the topic. Unfortunately, this is one of the most difficult topics to understand, but you should start by learning the difference between standalone certificate authorities and enterprise certificate authorities.

A standalone CA does not issue certificates independent of administrator intervention. The reasoning for this is based upon the fact that a standalone CA doesn’t tap into a local or domain user account. Instead, it relies upon human intervention as a ‘last check’ method prior to issuing a certificate. Standalone CA certificates are also not distributed automatically, but further require a delivery method, such as group policy (for local domain users), or via further human intervention. For Web and Internet access, this is the type of CA to use.

The enterprise CA adds a new level of flexibility and ability to the certificate picture, but also added complexity. The Enterprise CA is integrated with Active Directory, and only provides certificates to members within that Active Directory. This pretty much kills the idea of having both an extranet or secure Internet communications along with secure local domain communications. Enterprise Certificates can, however, be used in a manner that falls within the ‘not often, but still really nifty’ category. Enterprise Certificates can be used to bypass repeated and redundant domain authentication, and when properly configured, can be used to further enhance the standard Kerberos authentication methods. Enterprise Certificates are automatically issued for every user account when it is created. The certificate itself, since it is a file, can be stored on any storage location and can still be valid. In keeping along this train of thought, it is possible to place a certificate on a card or plug-in device that can be used to authenticate a user during the normal Kerberos authentication process. These specialized devices are called Smart Cards, and while Smart Card implementation is somewhat expensive, several large corporations have implemented this technology as an added safety factor.

Once certificates are exchanged, and authenticity is established, communication occurs, but additional security factors can be put in place to help enhance the rest of the communications process.

  • Pingback: microsoft, ca, validity, period, client, certificate, registry | Booches.nl

  • Anonymous

    Ummmm, this is certainly NOT a full list of OS5′s features. According to Scott Forstall there are 200 new features. This might more accurately be called, “A quick glance at a small subset of OS5′s features.

    I liked some of the GUI changes, like the split keyboard function to make thumb entry easier.

    I also liked the promised ‘Airdrop’ peer-to-peer WIFi file sharing.

    I like how the SHARING link takes you to the UFX Bank site, I don’t think buying gold is part of the new OS.

    Maybe a little editing and research?

  • Anonymous

    does that mean we can text messenge u?… LOL

  • http://www.tabletaholic.com Tabletaholic

    Looks good so far. It is comical that in 2011 someone would actually play up the fact that you no longer need a desktop computer to use an iOS device. You can set up the device on the device itself, and updates can now be pushed to your phone OTA, without having to ever touch iTunes.

    Isn’t it only logical that the iPad would work this way?