We're working in a smaller environment with three data centers and about 350 endpoints, using Windows Active Directory on-site without any complex cloud authentication. To simplify things with the upcoming certificate changes, we're planning to automate our self-signed certificates while purchasing certificates for any web-facing applications. I've noticed that most discussions about certificate authorities focus on Windows CA services. Although we're not against using Windows CA, I'm interested in whether I can also use ACME clients to interact with the CA. Are there compelling reasons to choose Windows server roles over Linux options like step-ca for our certificate needs?
4 Answers
Just a quick note: the cert changes you're referring to are mostly directed at public certificate authorities. We're using public wildcard certs on our internal servers, but that's a legacy setup we're moving away from since we've got no need to host anything publicly anymore.
We’ve always used AD for our certs. It’s mostly a tradition for us, but many stick with Windows because other Windows services integrate smoothly. If you're considering ACME clients, look into the ACME-Server-ADCS project—it lets you interface with ADCS for ACME requests.
Using Windows CA really shines with Active Directory integration. It allows easy enrollment from Windows certificate consoles, plus autoenrollment features for endpoints. This setup is pretty reliable if you're already embedded in a Windows environment.
Honestly, I find it strange that you plan to buy certs for web-facing services. There are so many solutions, including free ones, that provide great security. Plus, just a heads up: recent certificate changes mainly affect public CA, not private ones.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures