9/30/2012


 

    Microsoft PKI Certificate Authority (CA) Design Overview

Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). If your organization does not have such policy statements, you should consider creating them. When you do plan your CA hierarchy for your organization's PKI, you can use the following table to get an idea of the type of hierarchy and CAs to implement.
Design Option
Best for
Pros
Cons
Enterprise Root CA on a Domain Controller online
Not recommended.
Lab environments only when PKI design is no a priority.
Resources severely constrained (worst case scenario)
None
Configuration dependencies make domain controller maintenance and restore complex.
CA is online and more susceptible to compromise.
Enterprise Root CA online
Small organizations with limited security needs. environments that don’t have high security needs and don’t want to manage an offline system, large companies with limited certificate needs like internal SSL online
Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)
CA is online an more susceptible to compromise.
Cannot revoke online CA if compromised
More difficult than multi-tier CA hierarchies to expand
Enterprise Root CA offline
Not ideal for any environment
When offline the CA is not exposed to network-based attacks.
• Cannot be installed offline because it requires Active Directory
• Enterprise Root CA would not be able to service requests when offline
• Enterprise Root CA would have to be online sometimes and a member of the domain
• Creation of an Enterprise Subordinate would be needed to utilize any of the benefits of having an Active Directory integrated CA
• Enterprise Root CA would be online during subordinate CA renewal (in a multi-tier CA hierarchy)
• In a single-tier hierarchy, the Enterprise Root CA would not be available when offline to issue certificates
• Secure channel password would likely need to be reset in order to communicate with domain when it was brought online, if it was offline for more than 30 days.
Standalone offline root CA
Secure environment, multiple Issuing CAs
Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company. Helps control physical and logical control to CA
Easy to forget about and allow CDP/AIA to expire and break PKI. Expensive – requires dedicated hardware that is infrequently used. More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment.
Two-tier CA hierarchy
Most environments that don’t have a need to create security boundaries in their CA architectures
No unnecessary offline systems. Less CAs to manage and renew offline
No ability to restrict subordinate CAs or administrators. Can/should also incur expense of an HSM
Three-tier CA hierarchy
Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted
Ability to restrict CAs from issuing certs that shouldn’t (DMZ CAs shouldn’t issue Smart cards, etc..). Allows greatest flexibility of PKI
Middle tier often never utilized and is wasted. Extra machine/OS/HSM expense, one more system to remember to renew and maintain in an offline state.

 

No comments:

Post a Comment