Design Option
|
Best for
|
Pros
|
Cons
|
Enterprise Root CA on a Domain
Controller online
|
Not
recommended.
Lab environments only when PKI design is no a priority.
Resources severely constrained (worst case scenario)
|
None
|
Configuration dependencies make
domain controller maintenance and restore complex.
CA is online and more susceptible
to compromise.
|
Enterprise Root CA online
|
Small organizations with limited
security needs. environments that don’t have high security needs and don’t
want to manage an offline system, large companies with limited certificate
needs like internal SSL online
|
Easy to manage, uses templates,
integrates with Active Directory Domain Services (ADDS)
|
CA is online an more susceptible to
compromise.
Cannot revoke online CA if compromised
More difficult than multi-tier CA
hierarchies to expand
|
Enterprise Root CA offline
|
Not ideal for any environment
|
When
offline the CA is not exposed to network-based attacks.
|
• Cannot be installed offline
because it requires Active Directory
• Enterprise Root CA would not be able to service requests when offline
• Enterprise Root CA would have to be online sometimes and a member of the
domain
• Creation of an Enterprise Subordinate would be needed to utilize any of
the benefits of having an Active Directory integrated CA
• Enterprise Root CA would be online during subordinate CA renewal (in a
multi-tier CA hierarchy)
• In a single-tier hierarchy, the Enterprise Root CA would not be available
when offline to issue certificates
• Secure channel password would likely need to be reset in order to
communicate with domain when it was brought online, if it was offline for
more than 30 days.
|
|
Secure environment, multiple
Issuing CAs
|
Provides security and management of
online CAs. Allows environments to have a single point to trust all CAs in
the company. Helps control physical and logical control to CA
|
Easy to forget about and allow
CDP/AIA to expire and break PKI. Expensive – requires dedicated hardware
that is infrequently used. More complex and requires greater skill level to
integrate in an Active Directory Domain Services (AD DS) environment.
|
Two-tier CA hierarchy
|
Most environments that don’t have a
need to create security boundaries in their CA architectures
|
No unnecessary offline systems.
Less CAs to manage and renew offline
|
No ability to restrict subordinate
CAs or administrators. Can/should also incur expense of an HSM
|
Three-tier CA hierarchy
|
Very large and expansive PKI
environments with segmented CAs or separate groups that will manage CAs and
need to be restricted
|
Ability to restrict CAs from
issuing certs that shouldn’t (DMZ CAs shouldn’t issue Smart cards, etc..).
Allows greatest flexibility of PKI
|
Middle tier often never utilized
and is wasted. Extra machine/OS/HSM expense, one more system to remember to
renew and maintain in an offline state.
|
No comments:
Post a Comment