Certificates have not historically been my favorite area of technology. While we have to use certificates, most applications will create a self-signed certificate. This is not a good practice at all, however. When do you decide to use a certificate authority (CA) server on your own network?
This is a complicated question, but I will share some points that I have learned along the road about when it makes sense to install a local certificate authority. In many situations, people deploy the Windows Active Directory Certificate Services role. Having centralized management with Group Policy is a requirement to scale the reach of the policies to many users and computers. One trick is to deploy certificates through Group Policy, which is especially helpful with device certificates.
One of the best examples is to configure a wireless network to require a computer (or device) certificate for access. This removes the risk of passing around passwords for accessing wireless networks. This would be applicable for organizations wishing to provide wireless access in an office setting to designated systems, instead of providing public access or using passwords.
Having a CA in place can also address the friendly reminders from Internet Explorer’s certificate warning messages. If the local CA certificates are trusted on the domain, replacing self-signed certificates can make a much more pleasant experience for internal users.
A certificate can also be the second factor for VPN access. If the VPN access policy checks for the device certificate on the computer in question, then that can be the additional factor outside of a username and password. Having multifactor authentication, of course, is much more secure than simply using a username and password (single factor), and having the computer certificate managed by authoritative policy allows additional protection.
Installing a CA won’t help in every situation, however. Any external-facing systems won’t benefit from using the certificates created with the internal solution, even if they are located on the internal network and serve content to the external networks. This can include Web services or anything that uses secure socket layer (SSL) communication.
What criteria do you use to determine if you need to start hosting a CA? Share your comments below.