Ask HN: Microsoft CA Reading Material

1 points by lax4ever ↗ HN
Does HN have some recommended readings for Microsoft's CA role, Certificates, and PKI? My company is preparing to replacing our domain controllers (hardware replacement and going from 2012 R2 to Server 2022) and one of them has our local CA. It's not used for much right now (DC authentication, Kerberos, and Exchange), but I am trying to decide if it will be simpler to migrate or just start a new CA.

4 comments

[ 3.2 ms ] story [ 23.3 ms ] thread
https://www.amazon.com/gp/product/B010EUQPPY?psc=1 I started with this book. But honestly there's just alot of reading to do to setup the root cert correctly and supportable going forward. Like the default root cert has too low of ... numbers..There's stuff you want to customize when setting up the root cert that MS doesn't specify and it's kinda a major nightmare, i recommend doing a lab environment and testing.

Likely people who install a CA on a DC don't know admining and therefore i would recommend setting up a new cert. And/or ask why you're even using a certificate authority in the first place. As kerberos authentication between windows is really solid even without a cert authority.

Yeah, unfortunately some of our workstations are MacOS and Linux based, so I can't solely rely Kerberos, we have to have LDAP (ideally LDAPS) involved. We were also advised by our email provider that they have used it for the company's Exchange provider but that was set up before I joined the company and I am not really seeing evidence of a cert being issued for that purpose, though I very well could have missed it.
Mmm do you use s/mime for your email? You can usually tell from outlook and such.
That's the part that confuses me, is we don't currently utilize S/MIME from everything that I can see.