Example: Designing a CA Infrastructure
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
After an organization defines its certificate requirements, it creates a linked hierarchy of certification authorities to enable it to distribute certificates as needed, and to validate or reject certificates as appropriate.
In creating this CA infrastructure, the organization takes the following elements into account:
The security administration model of the organization. For example, security administration is managed centrally from the headquarters of the organization, but individual business units create and support their own security requirements as needed for individual projects and business relationships. Some units operate autonomously, but report back to corporate IT.
The Active Directory infrastructure of the organization. Because the organization has a single-forest logical structure, the CA infrastructure design is simple. The existing single-forest structure allows them to set up CAs, based on geography and bandwidth, to serve clients in multiple domains. For example, one or more common CAs support clients in offices on opposite coasts.
Potential use of a third-party CA. The organization is concerned about IT costs and also prefers to manage its own security infrastructure. It addresses both concerns by creating and administering its own CA infrastructure. When joint venture business partners deploy PKIs, it is possible to integrate the two CA infrastructures without having to rely on a third-party CA.
For more information about using third-party CAs to extend the CA infrastructure, see "Extending Your CA Infrastructure" later in this chapter.
Although the organization deploys Active Directory, it places a stand-alone root CA in a workgroup, rather than in the domain, for increased security. Also, it keeps this root CA offline and in a secure location that can only be accessed by an administrator who is authenticated by means of a smart card.
Directly below the root CA, the organization adds three policy CAs. One CA signs all certificates that have been issued to meet the high security standards of the organization, including software code signing, smart card logon, and Internet authentication certificates. The second CA signs all certificates that have been issued to meet the medium security standards of the organization, such as e-mail and EFS certificates. The third signs certificates for the CAs that issue certificates to external partners. These are also offline.
Figure 16.10 shows the CA infrastructure for the organization.
Figure 16.10 Example of a CA Infrastructure of an Organization
.gif "Example of a CA Infrastructure of an Organization")
Table 16.5 summarizes the configuration of these CAs.
Table 16.5 CA Configuration
| CA | Name | State | Role | Domain |
|---|---|---|---|---|
Root CA |
RtCA01 |
Offline |
Stand-alone |
None |
Internal medium security policy |
PolCA01 |
Offline |
Stand-alone |
None |
Internal high security policy |
PolCA02 |
Offline |
Stand-alone |
None |
External high security policy |
PolCA03 |
Offline |
Stand-alone |
None |
Internal medium security issuing 1 |
IsCA01 |
Online |
Member server |
Corp |
Internal medium security issuing 2 |
CA06 |
Online |
Member server |
Corp |
Internal medium security issuing 3 |
CA07 |
Online |
Member server |
Corp |
Internal high security issuing 2 |
CA08 |
Online |
Member server |
Corp |
Internal high security issuing 3 |
CA09 |
Online |
Member server |
Corp |
External high security issuing 1 |
CA01 |
Online |
Member server |
Corp |