Before you configure a Public Key Infrastructure (PKI) and certification authority (CA) hierarchy, you should be aware of your organization's security policy and certificate practice statement (CPS). If your organization
does not have such policy statements, you should consider creating them. For more information on policy statements, see
Example Policy Statements in this article.
Enterprise root CA on a domain controller online
> Resources severely constrained (worst case scenario).
+ Fewer Windows Server operating system (OS) licenses and configurations
- Configuration dependencies make domain controller maintenance and restore complex.
- Root CA is online and more susceptible to compromise
Enterprise root CA online
> Environments that don’t have high security needs and do not want to manage an offline system.
> Large companies with limited certificate needs, such as internal SSL online only.
+ Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)
- Root CA is online and more susceptible to compromise.
- Cannot revoke online CA if compromised
- More difficult than multi-tier CA hierarchies to expand
Enterprise root CA offline
- Administrative difficulty and uncommon configuration, which may not function properly or reliably with no known benefit over using an offline Standalone Root CA
- Unlikely that an Enterprise root CA could be installed offline, unless Windows Server 2008 R2 is used with offline domain join. Such a use of offline domain join has not been tested and is not supported
Standalone offline root CA
Secure environment, multiple Issuing CAs.
+ Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company
+ Helps control physical and logical control to CA
- Easy to forget about and allow CDP/AIA to expire and break PKI
- Expensive – requires dedicated hardware or virtual computer that is infrequently used
- More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment
Two-tier CA hierarchy
Most environments that do not have a need to create security boundaries in their CA architectures.
+ No unnecessary offline systems
+ Less CAs to manage and renew offline than three or more tier configurations
- No ability to restrict subordinate CAs or administrators
- Should include a
Hardware Security Module (HSM), which comes at additional cost
Three-tier CA hierarchy
Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted.
+ Ability to restrict CAs from issuing certs that should not. For example, a perimeter network (also called DMZ) CA should not issue Smart cards
+ Allows greatest flexibility of PKI
- Middle tier often never utilized and is wasted. Extra computer or virtual machine, OS, and HSM expense.
- Another computer to maintain in an offline state
Return to Top
↑ Return to Top