This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 74%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi,
I need to install CA in my small environment for LDAPS clients and for some certificates for intranet sites. I have only domain controller server on windows 2012 r2, and WSUS server connected to domain with Windows server 2019. As I read having AD CS on domain controller is not recommended everywhere, my question is if this is any security risk to install it on my WSUS server?
thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello @Tutek ,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Hello @Tutek ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
WSUS assumes IIS server, which is another potential attack vector. If server is compromissed via IIS (to be more precise, via vulnerable or miconfigured web app), then CA is compromised too. However, if you have limited license resources, then you don't have alternatives and have to use only available resources.
Hello @Tutek ,
Thank you for posting here.
The best practice we recommend is that a server should play one role or as few roles as possible. Because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
If you do have limited resources, you can install ADCS on WSUS server.
We can refer to the following similar case.
WSUS, DC and CA on same physical machine?
https://social.technet.microsoft.com/Forums/en-US/d9635885-3c16-49bd-b010-b2a2de9ceeaa/wsus-dc-and-ca-on-same-physical-machine?forum=winserverwsus
References
Step 3: Configure WSUS
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852346(v=ws.11)?redirectedfrom=MSDN#consswsus
How to setup Microsoft Active Directory Certificate Services
https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
If I go with one root ca server (without subordinate) can I just turn it off for security reasons after I configure it and issue all my certificates for intranet sites, ldaps servers etc, then ca server will be useless for two years (validity time of ssl certificate) am I right?
Hello @Tutek ,
Thank you for your update.
Based on "all my certificates for intranet sites, ldaps servers etc,", do you want to use these certificates in the two years you mentioned if the CA server is turned off during the two years?
If so, you should keep the CA server online.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
