Where to Place a NAP CA
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The NAP CA must have access to HRA, which can be accomplished by installing the CA on the same server computer. However, because HRA is located on the IPsec logical boundary network, installing CA on the same computer means that your NAP CA will also be accessible to noncompliant and non-NAP-capable computers. If you prefer to place a NAP CA on the secure network, you must install AD CS on a separate server computer.
NAP CA special considerations
When you install and configure a NAP CA, consider the following:
The NAP CA should issue health certificates only. Due to the high number of certificates issued, a NAP CA database can become very large and must be frequently cleared. If the CA issues other types of certificates, those records can be lost.
Certificates issued from a NAP CA that contain the client authentication EKU, such as Secure Sockets Layer (SSL) certificates, meet requirements for NAP IP security policies unless they are configured to accept health certificates only. This option is available only in connection security rules that apply to Windows 7 or Windows Vista, and Windows Server 2008 R2 or Windows Server 2008.
To clear the NAP CA database automatically, grant HRA permission to manage the CA. If HRA is not granted this permission, you must use another method to periodically clear the database so that it does not become too large. A CA that has no available disk space will cease to respond to certificate requests until disk space is made available.
In its recommended configuration, the NAP CA is a subordinate CA. Your certificate hierarchy should have a root CA and a level of issuing CAs below the root CA. NAP CAs are at the issuing CA level.
In its recommended configuration, the NAP CA is a standalone CA. This is the simplest and most efficient NAP CA for issuing health certificates.
If you use an enterprise CA to issue health certificates, you must configure a certificate template with the system health authentication EKU. The enterprise CA can be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
Do not configure NAP health certificates for multiple purposes by adding EKUs other than system health authentication and client authentication.
To prevent noncompliant computers from manually requesting a health certificate, you must remove enroll permission for domain computers. Configure the NAP CA to allow this permission for members of the NAP exemption group only. When HRA is a member of the NAP exemption group, it will have permission to request certificates on behalf of NAP client computers.