I've noticed something for a while now -- people are really reluctant to install a proper PKI system. If you're a Windows-based organization, I have three words for you:
Get over it.
The Windows Certificate Service (WCS) is powerful and fairly easy to manage -- and it's included in Windows Server Standard or Enterprise versions.
For years, people have been complaining about the lack of security in various products. Well, Microsoft and other vendors have listened, and standards like TLS and Mutual TLS are now getting put into most of the new products and versions rolling out the door. However, in order to USE these standards and get the security, you must have certificates. You can spend a lot of money buying and installing and managing these certificates from third-party vendors or you can install WCS.
The most common objection I hear is, “But I can just use commercial certificates!“ True, you can. But now you're paying for every certificate and adding to the complexity of your deployment tasks. Rolling out Exchange 2007 or OCS 2007 with all the proper certificates is a lot easier when your servers have an internal WCS infrastructure to talk to -- requests are fulfilled almost immediately. You don't have to spend money on all those internal server certificates -- just the external-facing certs for machines that are talking to external clients or mobile devices.
Either way you choose to go, there are a few facts of life:
- You WILL need to take time to learn how certificates and requests actually work. Knowing why you want to keep secure exported copies of certificates with their private keys associated is a good thing.
- You WILL have to allocate time managing your certificates and infrastructure. Commercial certificates expire -- we at 3Sharp had a certificate expiration sneak up on us and disable OWA and EAS until we got it sorted out.
- You WILL have to worry about certificate backups and processes. See the point about exported certificates.
Okay, here's a question -- would there be any interest in having me do a series of blog posts on the basics of certificate handling? I know there's good material out there, so I'd focus my stuff on common tasks and gotchas I've run across when deploying certificates for Exchange and OCS. If that sounds like something you'd want to see, drop me a comment.