Microsoft PKI Certificate Authority (CA) Design Overview Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). If your organization does not have such policy statements, you should consider creating them. When you do plan your CA hierarchy for your organization's PKI, you can use the following table to get an idea of the type of hierarchy and CAs to implement. Design Option Best for Pros Cons Enterprise Root CA on a Domain Controller online Not recommended. Lab environments only when PKI design is no a priority. Resources severely constrained (worst case scenario) None Configuration dependencies make domain controller maintenance and restore complex. CA is online and more susceptible to compromise. Enterprise Root CA online Small organizations with limited security needs. environments that don’t have high security needs and don’t want to manage an offline system, large companies with limited certificate needs like internal SSL online Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS) CA is online an more susceptible to compromise. Cannot revoke online CA if compromised More difficult than multi-tier CA hierarchies to expand Enterprise Root CA offline Not ideal for any environment When offline the CA is not exposed to network-based attacks. • Cannot be installed offline because it requires Active Directory • Enterprise Root CA would not be able to service requests when offline • Enterprise Root CA would have to be online sometimes and a member of the domain • Creation of an Enterprise Subordinate would be needed to utilize any of the benefits of having an Active Directory integrated CA • Enterprise Root CA would be online during subordinate CA renewal (in a multi-tier CA hierarchy) • In a single-tier hierarchy, the Enterprise Root CA would not be available when offline to issue certificates • Secure channel password would likely need to be reset in order to communicate with domain when it was brought online, if it was offline for more than 30 days. Standalone offline root CA Secure environment, multiple Issuing CAs Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company. Helps control physical and logical control to CA Easy to forget about and allow CDP/AIA to expire and break PKI. Expensive – requires dedicated hardware that is infrequently used. More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment. Two-tier CA hierarchy Most environments that don’t have a need to create security boundaries in their CA architectures No unnecessary offline systems. Less CAs to manage and renew offline No ability to restrict subordinate CAs or administrators. Can/should also incur expense of an HSM Three-tier CA hierarchy Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted Ability to restrict CAs from issuing certs that shouldn’t (DMZ CAs shouldn’t issue Smart cards, etc..). Allows greatest flexibility of PKI Middle tier often never utilized and is wasted. Extra machine/OS/HSM expense, one more system to remember to renew and maintain in an offline state.