Hello, I'm looking for some guidance on the design of a PKI infrastructure for our company. We have not had need for an internal certificate authority until now as we'll be installing Microsoft Lync. Further, a certificate authority will come in handy as we look into deploying activesync as I understand certificate can be used with cell phones for additional security. I understand from reading numerous articles that there are standalone, two tier and three tier architectures and would like to hear what, in your experience, would be most appropriate for our situation. (Read this most recently: http://social.technet.microsoft.com/wiki/contents/articles/2901.pki-design-guidance.aspx ) Besides Lync and cell phones, we have some custom written applications that we'd like to sign. We are a smaller company (200 user) with not a lot of experience with PKI so any advice on the proper design you think we should have would be appreciated. I'm sure there is more specific information I need to supply to assist in any recommendation so please let me know what else would be appropriate to provide. From what I've read, I don't think installing it on a DC would be advisable. Any advice would be most appreciated? Thanks!

I think, 2-tier (I guess there are no any special requirements) would be enough for you. And yes, CA on DC is the worst idea.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki