We are about to roll out PKI into our Windows domain. We are going to have 2 auto-enroll certificates, one for domain users and one for domain computers.
We have a mixed IT environment, with various incarnations of *Nix (Linux, Solaris, HP-UX and AIX) and Windows workgroup servers all running various enterprise applications. Some of these enterprise applications use self signed certificates for secure communication between the application servers. This can also occur on domain joined Windows servers as well. This means that these enterprise Windows servers will have exisitng self-signed certificates in their personal certificate store under the local computer account. These non-domain servers (whether they be *Nix systems or workgroup systems) will not trust the new Root CA for the domain once it is rolled out, as they won't receive the update through AD.
This brings me to my question. When we implement PKI, a new certificate will be installed in the local computer accounts personal certificates folder. This certificate will be at the top of the list, as it will be the newest. When I had installed a new LDAP SSL certificate in one of my RODCs a while back, I ran into a problem where the correct SSL certificate was not being chosen by the OS. The problem is outlined in the following link, and I've cut and pasted the more specific portion below: http://support.microsoft.com/kb/321051?wa=wsignin1.0
•Multiple SSL certificates
Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
So my question is, after a new certificate has been placed into the local computer personal certificates folder, will this not break any application specific SSL communication? Additionally, for any non-domain system that does not trust the new domain root CA, will they not lose the ability to commuinicate over SSL? (Example: Say we have a Windows IIS server that hosts an application provided over SSL, but some component of the application has a non-domain system that talks to it. Will implementing PKI not break this communication?)
Thanks for the answers. I think I must be mistaken in my understanding somewhere, as this would seem to be a very, very common problem in other IT shops, as pretty much everybody has a mixed domain/non-domain environment.