Design Option
Best for
Pros
Cons
Enterprise root CA on a domain controller online
+ Fewer Windows Server operating system (OS) licenses and configurations
- Configuration dependencies make domain controller maintenance and restore complex. - Root CA is online and more susceptible to compromise
Enterprise root CA online
+ Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)
- Root CA is online and more susceptible to compromise. - Cannot revoke online CA if compromised - More difficult than multi-tier CA hierarchies to expand
Enterprise root CA offline
Not recommended.
- Administrative difficulty and uncommon configuration, which may not function properly or reliably with no known benefit over using an offline Standalone Root CA - Unlikely that an Enterprise root CA could be installed offline, unless Windows Server 2008 R2 is used with offline domain join. Such a use of offline domain join has not been tested and is not supported
Standalone offline root CA
Secure environment, multiple Issuing CAs.
+ Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company + Helps control physical and logical control to CA
- Easy to forget about and allow CDP/AIA to expire and break PKI - Expensive – requires dedicated hardware or virtual computer that is infrequently used - More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment
Two-tier CA hierarchy
Most environments that do not have a need to create security boundaries in their CA architectures.
+ No unnecessary offline systems + Less CAs to manage and renew offline than three or more tier configurations
- No ability to restrict subordinate CAs or administrators - Should include a Hardware Security Module (HSM), which comes at additional cost
Three-tier CA hierarchy
Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted.
+ Ability to restrict CAs from issuing certs that should not. For example, a perimeter network (also called DMZ) CA should not issue Smart cards + Allows greatest flexibility of PKI
- Middle tier often never utilized and is wasted. Extra computer or virtual machine, OS, and HSM expense. - Another computer to maintain in an offline state
↑ Return to Top
Carsten Siemens edited Revision 53. Comment: Added tag: has comment
Kurt L Hudson MSFT edited Revision 52. Comment: Added a video example that should help to understand the basic details of PKI
Kurt L Hudson edited Revision 49. Comment: Added compatibility considerations
Ed Price - MSFT edited Revision 46. Comment: Added whitespace above table
Ed Price - MSFT edited Revision 45. Comment: Added whitespace above table
Ed Price - MSFT edited Revision 42. Comment: Font change and added tags.
Kurt L Hudson edited Revision 41. Comment: Made additional resources a heading 1 link
Kurt L Hudson edited Revision 40. Comment: return to top added
Kurt L Hudson edited Revision 39. Comment: Organizing article a bit more
Kurt L Hudson edited Revision 38. Comment: TOC added
Kurt L Hudson edited Original. Comment: Updated introductory statement
Kurt L Hudson edited Revision 1. Comment: added CPS acronym
Kurt L Hudson edited Revision 2. Comment: Added some additional resources
Kurt L Hudson edited Revision 3. Comment: Rolled Additional Resources into its own section
Kurt L Hudson edited Revision 4. Comment: Added some additional resources
Kurt L Hudson edited Revision 5. Comment: Explained the offline Root CA possibility and drawbacks
Kurt L Hudson edited Revision 6. Comment: updated based on an ongoing discussion about Enterprise Root CA offline with Umit Akkus
Kurt L Hudson edited Revision 7. Comment: Downplayed the specific drawbacks on an Enterprise Root CA offline to simply say it is not recommended and likely may not work
Kurt L Hudson edited Revision 8. Comment: Attempted to correct some formatting issues
Kurt L Hudson edited Revision 9. Comment: fixing formatting issues and a couple of typos fixing colors to 1f497d
Kurt L Hudson edited Revision 10. Comment: formatting
Kurt L Hudson edited Revision 11. Comment: formatting fixes
Kurt L Hudson edited Revision 12. Comment: fixing links
Kurt L Hudson edited Revision 13. Comment: Corrected link to open in New Window
Ed Price MSFT edited Revision 14. Comment: Making font colors and edge colors in the table consistent. Also the tags needed commas.