Public Key Infrastructure Design Guidance

Public Key Infrastructure Design Guidance

Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). If your organization does not have such policy statements, you should consider creating them. For more information on policy statements, see Example Policy Statements in this article.


PKI Design Options

When planning your CA hierarchy for your organization's PKI, you can use the following table to get an idea of the type of hierarchy and CAs to implement.
 

Design Option

Best for

Pros

Cons

Enterprise root CA on a domain controller online

> Lab environments only when PKI design is not a priority.
> Resources severely constrained (worst case scenario).

+ Fewer Windows Server operating system (OS) licenses and configurations

- Configuration dependencies make domain controller maintenance and restore complex.
- Root CA is online and more susceptible to compromise


Enterprise root CA online

> Small organizations with limited security needs.
> Environments that don’t have high security needs and do not want to manage an offline system.
> Large companies with limited certificate needs, such as internal SSL online only.

 

 

 

+ Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)

- Root CA is online and more susceptible to compromise.
-
Cannot revoke online CA if compromised
-
More difficult than multi-tier CA hierarchies to expand

Enterprise root CA offline

Not recommended.

+ When offline the CA is not exposed to network-based attacks

- Administrative difficulty and uncommon configuration, which may not function properly or reliably with no known benefit over using an offline Standalone Root CA
- Unlikely that an Enterprise root CA could be installed offline, unless Windows Server 2008 R2 is used with offline domain join. Such a use of offline domain join has not been tested and is not supported

Standalone offline root CA

Secure environment, multiple Issuing CAs.

+ Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company
+ Helps control physical and logical control to CA

- Easy to forget about and allow CDP/AIA to expire and break PKI
- Expensive – requires dedicated hardware or virtual computer that is infrequently used
- More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment

Two-tier CA hierarchy

Most environments that do not have a need to create security boundaries in their CA architectures.

+ No unnecessary offline systems
+ Less CAs to manage and renew offline than three or more tier configurations

- No ability to restrict subordinate CAs or administrators
- Should include a Hardware Security Module (HSM), which comes at additional cost

Three-tier CA hierarchy

Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted.

+ Ability to restrict CAs from issuing certs that should not. For example, a perimeter network (also called DMZ) CA should not issue Smart cards
+ Allows greatest flexibility of PKI

- Middle tier often never utilized and is wasted. Extra computer or virtual machine, OS, and HSM expense.
- Another computer to maintain in an offline state

Return to Top

Links to Detailed Design Guidance   

Return to Top

Example Policy Statements

Return to Top

Consider Compatibility

Return to Top

Additional Resources

Return to Top

Leave a Comment
  • Please add 7 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Carsten Siemens edited Revision 53. Comment: Added tag: has comment

  • Kurt L Hudson MSFT edited Revision 52. Comment: Added a video example that should help to understand the basic details of PKI

  • Kurt L Hudson edited Revision 49. Comment: Added compatibility considerations

  • Ed Price - MSFT edited Revision 46. Comment: Added whitespace above table

  • Ed Price - MSFT edited Revision 45. Comment: Added whitespace above table

  • Ed Price - MSFT edited Revision 42. Comment: Font change and added tags.

  • Kurt L Hudson edited Revision 41. Comment: Made additional resources a heading 1 link

  • Kurt L Hudson edited Revision 40. Comment: return to top added

  • Kurt L Hudson edited Revision 39. Comment: Organizing article a bit more

  • Kurt L Hudson edited Revision 38. Comment: TOC added

Page 1 of 4 (39 items) 1234
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Kurt L Hudson edited Original. Comment: Updated introductory statement

  • Kurt L Hudson edited Revision 1. Comment: added CPS acronym

  • Kurt L Hudson edited Revision 2. Comment: Added some additional resources

  • Kurt L Hudson edited Revision 3. Comment: Rolled Additional Resources into its own section

  • Kurt L Hudson edited Revision 4. Comment: Added some additional resources

  • Kurt L Hudson edited Revision 5. Comment: Explained the offline Root CA possibility and drawbacks

  • Kurt L Hudson edited Revision 6. Comment: updated based on an ongoing discussion about Enterprise Root CA offline with Umit Akkus

  • Kurt L Hudson edited Revision 7. Comment: Downplayed the specific drawbacks on an Enterprise Root CA offline to simply say it is not recommended and likely may not work

  • Kurt L Hudson edited Revision 8. Comment: Attempted to correct some formatting issues

  • Kurt L Hudson edited Revision 9. Comment: fixing formatting issues and a couple of typos fixing colors to 1f497d

  • Kurt L Hudson edited Revision 10. Comment: formatting

  • Kurt L Hudson edited Revision 11. Comment: formatting fixes

  • Kurt L Hudson edited Revision 12. Comment: fixing links

  • Kurt L Hudson edited Revision 13. Comment: Corrected link to open in New Window

  • Ed Price MSFT edited Revision 14. Comment: Making font colors and edge colors in the table consistent. Also the tags needed commas.

Page 1 of 3 (41 items) 123