locked
Public Certificate RRS feed

  • Question

  • Hi,

     

    a customer is thinking about using Certificates issued from Verisign for his internal deployment. There are no plans for Edge Server or so. OCS is just for internal usage.

     

    They don´t want to use Windows CA, cause this will end up in another project and actually there is no time.

     

    I think this would work, but I´m not sure and couldn´t find a definitive answer in the deployment guides

     

    Thanks for your answers and have a nice day

     

    Chris

    Thursday, June 14, 2007 7:34 AM

Answers

  • Hello Chris,

     

    I don`t know why this shouldn`t work. The Planning Guide describes in Detail what type of CAs ( internal/external )  OCS Server supports. So the following statements in the whitepaper should answer your question.

     

    Excerpt from Planning Guide Page 65

     

    Office Communications Server CA Support

    Office Communications Server supports the following CAs:

    ·         Internal CAs

    ·         Windows Server 2003 Enterprise CA

    ·         Windows Server 2003 Standalone CA

    ·         Windows 2000 Enterprise CA

    ·         Windows 2000 Standalone CA

    ·         External (public) CAs

    Public certificates are required for federation and public IM connectivity, which is the ability to connect with users of the public IM providers MSN, AOL, and Yahoo!. You can also use a public key infrastructure for your internal certificates, if you choose.

    Excerpt from Planning Guide Page 66

     

    External CAs

    External certificates are required when you enable federation or public IM connectivity for your Office Communications Server deployment. Additionally, if your organization wants to outsource the processes of certificate issuing and management, you might choose to use external CA, because for your edge servers and your internal servers because they:

    ·         Allow customers a greater degree of confidence when conducting secure transactions outside the organization.

    ·         Allow the organization to take advantage of the expertise of a professional service provider.

    ·         Allow the organization to use certificate-based security technology while developing an internally managed PKI.

    ·         Allow the organization to take advantage of the provider’s understanding of the technical, legal, and business issues associated with certificate use.

    The disadvantages associated with use of external CAs include the following:

    ·         They typically involve a high per-certificate cost.

    ·         They might require the development of two different management standards, one for internally issued certificates and one for commercially issued certificates.

    ·         They allow less flexibility in configuring and managing certificates.

    ·         The organization must have network access to the third-party CAs in order to access the CRLs.

    ·         Autoenrollment is not possible.

    ·         External CAs allow only limited integration with the internal directories, applications, and infrastructure of the organization.

     

    So if your customer want to use public certificates for their internal environment they should be aware of the requirements and disadvantages descibed above ( CRL etc. ) . Additionally the Root CA must be trusted but this should be the case with Verisign.

     

    Hope this helps.

     

    Regards

     

    Athanasios

     

     

    Thursday, June 14, 2007 9:01 AM

All replies

  • Hello Chris,

     

    I don`t know why this shouldn`t work. The Planning Guide describes in Detail what type of CAs ( internal/external )  OCS Server supports. So the following statements in the whitepaper should answer your question.

     

    Excerpt from Planning Guide Page 65

     

    Office Communications Server CA Support

    Office Communications Server supports the following CAs:

    ·         Internal CAs

    ·         Windows Server 2003 Enterprise CA

    ·         Windows Server 2003 Standalone CA

    ·         Windows 2000 Enterprise CA

    ·         Windows 2000 Standalone CA

    ·         External (public) CAs

    Public certificates are required for federation and public IM connectivity, which is the ability to connect with users of the public IM providers MSN, AOL, and Yahoo!. You can also use a public key infrastructure for your internal certificates, if you choose.

    Excerpt from Planning Guide Page 66

     

    External CAs

    External certificates are required when you enable federation or public IM connectivity for your Office Communications Server deployment. Additionally, if your organization wants to outsource the processes of certificate issuing and management, you might choose to use external CA, because for your edge servers and your internal servers because they:

    ·         Allow customers a greater degree of confidence when conducting secure transactions outside the organization.

    ·         Allow the organization to take advantage of the expertise of a professional service provider.

    ·         Allow the organization to use certificate-based security technology while developing an internally managed PKI.

    ·         Allow the organization to take advantage of the provider’s understanding of the technical, legal, and business issues associated with certificate use.

    The disadvantages associated with use of external CAs include the following:

    ·         They typically involve a high per-certificate cost.

    ·         They might require the development of two different management standards, one for internally issued certificates and one for commercially issued certificates.

    ·         They allow less flexibility in configuring and managing certificates.

    ·         The organization must have network access to the third-party CAs in order to access the CRLs.

    ·         Autoenrollment is not possible.

    ·         External CAs allow only limited integration with the internal directories, applications, and infrastructure of the organization.

     

    So if your customer want to use public certificates for their internal environment they should be aware of the requirements and disadvantages descibed above ( CRL etc. ) . Additionally the Root CA must be trusted but this should be the case with Verisign.

     

    Hope this helps.

     

    Regards

     

    Athanasios

     

     

    Thursday, June 14, 2007 9:01 AM
  • Athanasios,

     

    thanks for your answer, that´s it. Obviously I did read the guide too fast...

     

    Thanks again

    Chris

    Thursday, June 14, 2007 10:52 AM