Enterprise root CA on a domain controller online
+ Fewer Windows Server operating system (OS) licenses and configurations
- Configuration dependencies make domain controller maintenance and restore complex.
- Root CA is online and more susceptible to compromise
Enterprise root CA online
+ Easy to manage, uses templates, integrates with Active Directory Domain Services (ADDS)
- Root CA is online and more susceptible to compromise.
- Cannot revoke online CA if compromised
- More difficult than multi-tier CA hierarchies to expand
Enterprise root CA offline
- Administrative difficulty and uncommon configuration, which may not function properly or reliably with no known benefit over using an offline Standalone Root CA
- Unlikely that an Enterprise root CA could be installed offline, unless Windows Server 2008 R2 is used with offline domain join. Such a use of offline domain join has not been tested and is not supported
Standalone offline root CA
Secure environment, multiple Issuing CAs.
+ Provides security and management of online CAs. Allows environments to have a single point to trust all CAs in the company
+ Helps control physical and logical control to CA
- Easy to forget about and allow CDP/AIA to expire and break PKI
- Expensive – requires dedicated hardware or virtual computer that is infrequently used
- More complex and requires greater skill level to integrate in an Active Directory Domain Services (AD DS) environment
Two-tier CA hierarchy
Most environments that do not have a need to create security boundaries in their CA architectures.
+ No unnecessary offline systems
+ Less CAs to manage and renew offline than three or more tier configurations
- No ability to restrict subordinate CAs or administrators
- Should include a
Hardware Security Module (HSM), which comes at additional cost
Three-tier CA hierarchy
Very large and expansive PKI environments with segmented CAs or separate groups that will manage CAs and need to be restricted.
+ Ability to restrict CAs from issuing certs that should not. For example, a perimeter network (also called DMZ) CA should not issue Smart cards
+ Allows greatest flexibility of PKI
- Middle tier often never utilized and is wasted. Extra computer or virtual machine, OS, and HSM expense.
- Another computer to maintain in an offline state
Return to Top
Kurt L Hudson edited Revision 27. Comment: Added moving from single PKI tier to multi-tier link
The link in the section "Example Policy Statements" to "EuroPKI Top Level Certification Authority Certificate Policy (CP) Statement" is broken (404).