Schedule Production Rollout in Stages

  • Article

For large enterprise deployments, schedule the public key production rollout in stages. You can roll out different portions of the infrastructure as necessary to support your security goals and business needs.

For example, you might begin with EFS and IPSec features because you do not have to establish a CA hierarchy to get the security benefits of these features. You might place the next highest priority on secure mail and smart card authentication. You can choose to schedule rollout of the secure mail infrastructure before rollout of the smart card infrastructure, or you can choose to schedule secure mail to one group or site and simultaneously roll out the smart card infrastructure to another group or site.

To roll out the PKI for secure mail, you can schedule the following activities for each stage of the rollout:

  • Install root CAs for secure mail in the parent domains for each tree in your organization (root CAs are used to certify intermediate CAs in that domain or a subdomain.

  • Install and configure secure mail system and services (as necessary).

  • Install intermediate CAs for secure mail in the domains or subdomains for each business unit (each business unit certifies and installs issuing CAs for its user groups).

  • Install and configure issuing CAs (certified by the business unit) and certificate enrollment services in the domains or subdomains for user groups at each site, as necessary.

To roll out the PKI for smart cards, you can schedule the following activities for each stage of the rollout:

  • Install root CAs for smart cards in the parent domains for each tree in your organization (root CAs are used to certify intermediate CAs in that domain or a subdomain).

  • Install and configure smart card readers for users and smart card administrators.

  • Install intermediate CAs for smart cards in the domains or subdomains for each business unit (each business unit certifies and installs issuing CAs for its user groups).

  • Install and configure issuing CAs (certified by the business unit) and smart card enrollment stations in the domains or subdomains for user groups at each site, as necessary.

In addition, you can schedule the rollout of other portions of the PKI to support additional public key security functions such as secure Web communications and secure Web sites, software code signing, IPSec authentication, and EFS user and recovery operations.