The question is purely about whether this config is capable of issuing valid intranet SSL certs (i.e. SSL certs for internally facing sites), and not any other implications or concerns.
(The focus of the question isn't security, availability, continuity, disaster recovery or any other implications or concerns other than the ability to issue valid SSL certs.)
Context: inherited an AD setup where the primary DC has a CS/CA role and no templates – which means the CA is "standalone", not "enterprise", confirmed via certutil -getreg ca\catype
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<masked>AD01-CA\CAType:
CAType REG_DWORD = 3
ENUM_STANDALONE_ROOTCA -- 3
CertUtil: -getreg command completed successfully.
There is also a "subordinate" CA running on a secondary DC that is "enterprise" (although its "templates" feature isn't working: "no templates found" errors when using Web Enrollment on it).
The question
Is this configuration ("standalone" root CA + "enterprise" subordinate CA) capable of issuing valid SSL certs for intranet sites like vCenter, SolarWinds, etc.?
Reason I ask:
Having a lot of trouble figuring out how to get a "trusted" SSL setup for internally facing (intranet) sites and could use any help I can get:
- Can AD CA certificates for internally facing sites be inherently trusted?
- Can Orion use an AD CA issued SSL cert?
Figure this may have something to do with how CAs and DCs are currently set up.
If this is not OK and I need to switch to an "enterprise" CA, what's the easiest way to do so?
P.S. I am OK with it not being configured quite to specs with offline/online CAs and CAs not running on DCs – for now the only goal is to be able to issue good certificates to internally facing sites and apps.
Thanks!
Best Answer
It is NOT OK to run any certificate services on domain controllers. They must be installed on member servers only.
There are two reasons for that: