Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by
  • When: 15 Apr 2011 8:31 PM
  • Last revision by (eMicrosoft Partne)
  • When: 4 Jul 2013 10:55 AM
  • Revisions: 57
  • Comments: 41
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Public Key Infrastructure Design Guidance

Public Key Infrastructure Design Guidance

Public Key Infrastructure Design Guidance

Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). If your organization does not have such policy statements, you should consider creating them. For more information on policy statements, see Example Policy Statements in this article.

Table of Contents

PKI Design Options

When planning your CA hierarchy for your organization's PKI, you can use the following table to get an idea of the type of hierarchy and CAs to implement.
 

Design Option

Best for

Pros

Cons

Enterprise root CA on a domain controller online

 > Lab environments only when PKI design is not a priority.
> Resources severely constrained (worst case scenario).

+ Fewer Windows Server operating system (OS) licenses and configurations

- Configuration dependencies make domain controller maintenance and restore complex.
- Root CA is online and more susceptible to compromise

Enterprise root CA online

> Small organizations with limited security needs.
> Environments that don’t have high security needs and do not want to manage an offline system.
> Large companies with limited certificate needs, such as internal SSL online only.

 

 

 

+ Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)

- Root CA is online and more susceptible to compromise.
- Cannot revoke online CA if compromised
- More difficult than multi-tier CA hierarchies to expand

Enterprise root CA offline

Not recommended.

 + When offline the CA is not exposed to network-based attacks

- Administrative difficulty and uncommon configuration, which may not function properly or reliably with no known benefit over using an offline Standalone Root CA
- Unlikely that an Enterprise root CA could be installed offline, unless Windows Server 2008 R2 is used with offline domain join. Such a use of offline domain join has not been tested and is not supported

Standalone offline root CA

Secure environment, multiple Issuing CAs.

+ Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company
+ Helps control physical and logical control to CA

- Easy to forget about and allow CDP/AIA to expire and break PKI
- Expensive – requires dedicated hardware or virtual computer that is infrequently used
- More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment

Two-tier CA hierarchy

Most environments that do not have a need to create security boundaries in their CA architectures.

+ No unnecessary offline systems
+ Less CAs to manage and renew offline than three or more tier configurations

- No ability to restrict subordinate CAs or administrators
- Should include a Hardware Security Module (HSM), which comes at additional cost

Three-tier CA hierarchy

Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted.

+ Ability to restrict CAs from issuing certs that should not. For example, a perimeter network (also called DMZ) CA should not issue Smart cards
+ Allows greatest flexibility of PKI

- Middle tier often never utilized and is wasted. Extra computer or virtual machine, OS, and HSM expense.
- Another computer to maintain in an offline state

Return to Top

Links to Detailed Design Guidance   

Return to Top

Example Policy Statements

Return to Top

Consider Compatibility

Return to Top

Additional Resources

Return to Top

, , , , , , , , , , , , , , , , , , , , , [Edit tags]
Leave a Comment
  • Please add 7 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 15 May 2013 5:44 AM

    Carsten Siemens edited Revision 53. Comment: Added tag: has comment

  • 5 May 2013 9:28 AM

    Kurt L Hudson MSFT edited Revision 52. Comment: Added a video example that should help to understand the basic details of PKI

  • 1 Mar 2013 7:26 AM

    Kurt L Hudson edited Revision 49. Comment: Added compatibility considerations

  • 4 Jul 2012 12:55 PM

    Ed Price - MSFT edited Revision 46. Comment: Added whitespace above table

  • 4 Jul 2012 12:53 PM

    Ed Price - MSFT edited Revision 45. Comment: Added whitespace above table

  • 4 Jul 2012 12:49 PM

    Ed Price - MSFT edited Revision 42. Comment: Font change and added tags.

  • 7 Mar 2012 8:44 AM

    Kurt L Hudson edited Revision 41. Comment: Made additional resources a heading 1 link

  • 7 Mar 2012 8:42 AM

    Kurt L Hudson edited Revision 40. Comment: return to top added

  • 7 Mar 2012 8:37 AM

    Kurt L Hudson edited Revision 39. Comment: Organizing article a bit more

  • 7 Mar 2012 8:33 AM

    Kurt L Hudson edited Revision 38. Comment: TOC added

Page 1 of 4 (39 items) 1234
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 23 Apr 2011 2:44 PM

    Kurt L Hudson edited Original. Comment: Updated introductory statement

  • Posted by
    on 23 Apr 2011 2:45 PM

    Kurt L Hudson edited Revision 1. Comment: added CPS acronym

  • Posted by
    on 28 Apr 2011 1:17 AM

    Kurt L Hudson edited Revision 2. Comment: Added some additional resources

  • Posted by
    on 28 Apr 2011 1:19 AM

    Kurt L Hudson edited Revision 3. Comment: Rolled Additional Resources into its own section

  • Posted by
    on 28 Apr 2011 2:53 AM

    Kurt L Hudson edited Revision 4. Comment: Added some additional resources

  • Posted by
    on 29 Apr 2011 2:02 PM

    Kurt L Hudson edited Revision 5. Comment: Explained the offline Root CA possibility and drawbacks

  • Posted by
    on 2 May 2011 12:27 PM

    Kurt L Hudson edited Revision 6. Comment: updated based on an ongoing discussion about Enterprise Root CA offline with Umit Akkus

  • Posted by
    on 2 May 2011 12:51 PM

    Kurt L Hudson edited Revision 7. Comment: Downplayed the specific drawbacks on an Enterprise Root CA offline to simply say it is not recommended and likely may not work

  • Posted by
    on 2 May 2011 12:58 PM

    Kurt L Hudson edited Revision 8. Comment: Attempted to correct some formatting issues

  • Posted by
    on 2 May 2011 1:08 PM

    Kurt L Hudson edited Revision 9. Comment: fixing formatting issues and a couple of typos fixing colors to 1f497d

  • Posted by
    on 2 May 2011 1:10 PM

    Kurt L Hudson edited Revision 10. Comment: formatting

  • Posted by
    on 2 May 2011 1:11 PM

    Kurt L Hudson edited Revision 11. Comment: formatting fixes

  • Posted by
    on 2 May 2011 1:13 PM

    Kurt L Hudson edited Revision 12. Comment: fixing links

  • Posted by
    on 2 May 2011 1:15 PM

    Kurt L Hudson edited Revision 13. Comment: Corrected link to open in New Window

  • Posted by
    on 2 May 2011 2:40 PM

    Ed Price MSFT edited Revision 14. Comment: Making font colors and edge colors in the table consistent. Also the tags needed commas.

Page 1 of 3 (41 items) 123