locked
3 Tier CA Hierachy - Configuring the 2nd Tier RRS feed

  • Question

  • Hi

    I am looking to set up a 3 Tier PKI to allow separation of responsibilty between geographical regions, each reion havinf it's own Policy server.

    I have set up a Lab with a Root CA and am now looking to do the second tier. I can't find any guidance on this and am hoping to get help in terms of how to configure the second tier (Standalone?). There seems to be plenty of help for a Two Tier architecture, but nothing for 3.

    I am pretty new to PKI, so any help would be appreciated

    Cheers

    Kev

    • Moved by Amy Wang_ Friday, November 7, 2014 6:46 AM CA related from Windows Server 2012 Setup forum
    Wednesday, November 5, 2014 10:52 PM

Answers

  • Hi Kev,

    As far as I know, setting up the third tier CA is a lot like the second tier one, except that the CA certificate of the third tier CA comes from the second tier CA.

    Best Regards,

    Amy

    • Proposed as answer by Amy Wang_ Monday, November 10, 2014 1:48 PM
    • Marked as answer by Amy Wang_ Monday, November 17, 2014 3:03 AM
    Friday, November 7, 2014 8:18 AM
  • Amy is right - the policy CA is typically an offline standalone CA. I don't claim it is the best resource but I had found this white paper on Microsoft's own infrastructure helpful:

    Deploying and Managing PKI inside Microsoft

    They moved from a 3-tier to a 2-tier internal infrastructure.

    If you plan to add Certificate Policies ("Issuance Policies") threads like this one might be interesting for you. If you add policy OIDs at the 2nd tier you need to add a subset of them also to the issuing CAs' certificates.

    Elke

    • Proposed as answer by Amy Wang_ Monday, November 10, 2014 1:48 PM
    • Marked as answer by Amy Wang_ Monday, November 17, 2014 3:03 AM
    Friday, November 7, 2014 3:31 PM

All replies

  • Hi Kev,

    As far as I know, setting up the third tier CA is a lot like the second tier one, except that the CA certificate of the third tier CA comes from the second tier CA.

    Best Regards,

    Amy

    • Proposed as answer by Amy Wang_ Monday, November 10, 2014 1:48 PM
    • Marked as answer by Amy Wang_ Monday, November 17, 2014 3:03 AM
    Friday, November 7, 2014 8:18 AM
  • Amy is right - the policy CA is typically an offline standalone CA. I don't claim it is the best resource but I had found this white paper on Microsoft's own infrastructure helpful:

    Deploying and Managing PKI inside Microsoft

    They moved from a 3-tier to a 2-tier internal infrastructure.

    If you plan to add Certificate Policies ("Issuance Policies") threads like this one might be interesting for you. If you add policy OIDs at the 2nd tier you need to add a subset of them also to the issuing CAs' certificates.

    Elke

    • Proposed as answer by Amy Wang_ Monday, November 10, 2014 1:48 PM
    • Marked as answer by Amy Wang_ Monday, November 17, 2014 3:03 AM
    Friday, November 7, 2014 3:31 PM
  • Hi Kev,

    Do you need further assistance on this issue at the moment?

    If yes, please feel free to let us know.

    Best Regards,

    Amy

    Wednesday, November 12, 2014 7:42 AM