Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Example: Designing a CA Infrastructure

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After an organization defines its certificate requirements, it creates a linked hierarchy of certification authorities to enable it to distribute certificates as needed, and to validate or reject certificates as appropriate.

In creating this CA infrastructure, the organization takes the following elements into account:

  • The security administration model of the organization. For example, security administration is managed centrally from the headquarters of the organization, but individual business units create and support their own security requirements as needed for individual projects and business relationships. Some units operate autonomously, but report back to corporate IT.

  • The Active Directory infrastructure of the organization. Because the organization has a single-forest logical structure, the CA infrastructure design is simple. The existing single-forest structure allows them to set up CAs, based on geography and bandwidth, to serve clients in multiple domains. For example, one or more common CAs support clients in offices on opposite coasts.

  • Potential use of a third-party CA. The organization is concerned about IT costs and also prefers to manage its own security infrastructure. It addresses both concerns by creating and administering its own CA infrastructure. When joint venture business partners deploy PKIs, it is possible to integrate the two CA infrastructures without having to rely on a third-party CA.

    For more information about using third-party CAs to extend the CA infrastructure, see "Extending Your CA Infrastructure" later in this chapter.

Although the organization deploys Active Directory, it places a stand-alone root CA in a workgroup, rather than in the domain, for increased security. Also, it keeps this root CA offline and in a secure location that can only be accessed by an administrator who is authenticated by means of a smart card.

Directly below the root CA, the organization adds three policy CAs. One CA signs all certificates that have been issued to meet the high security standards of the organization, including software code signing, smart card logon, and Internet authentication certificates. The second CA signs all certificates that have been issued to meet the medium security standards of the organization, such as e-mail and EFS certificates. The third signs certificates for the CAs that issue certificates to external partners. These are also offline.

Figure 16.10 shows the CA infrastructure for the organization.

Figure 16.10   Example of a CA Infrastructure of an Organization

Example of a CA Infrastructure of an Organization

Table 16.5 summarizes the configuration of these CAs.

Table 16.5   CA Configuration

 

CA Name State Role Domain

Root CA

RtCA01

Offline

Stand-alone

None

Internal medium security policy

PolCA01

Offline

Stand-alone

None

Internal high security policy

PolCA02

Offline

Stand-alone

None

External high security policy

PolCA03

Offline

Stand-alone

None

Internal medium security issuing 1

IsCA01

Online

Member server

Corp

Internal medium security issuing 2

CA06

Online

Member server

Corp

Internal medium security issuing 3

CA07

Online

Member server

Corp

Internal high security issuing 2

CA08

Online

Member server

Corp

Internal high security issuing 3

CA09

Online

Member server

Corp

External high security issuing 1

CA01

Online

Member server

Corp

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.