Selecting Internal CAs vs. Third-Party CAs

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Depending on the functionality that you require, the capabilities of your IT infrastructure and IT administrators, and the costs that your organization can support, you might choose to base your certification authority infrastructure on internal CAs, third-party CAs, or a combination of internal and third-party CAs.

Internal CAs

If your organization conducts most of its business with partner organizations and wants to maintain control of how certificates are issued, internal CAs are the best choice. Internal CAs:

  • Allow an organization to maintain direct control over its security policies.

  • Allow an organization to align its certificate policy with its overall security policy.

  • Can be integrated with the Active Directory infrastructure of the organization.

  • Can be expanded to include additional functionality and users at relatively little extra cost.

The disadvantages associated with using internal CAs include:

  • The organization must manage its own certificates.

  • The deployment schedule for internal CAs might be longer than that for CAs available from third-party service providers.

  • The organization must accept liability for problems with the PKI.

External CAs

If your organization conducts most of its business with external customers and clients and wants to outsource certificate issuing and management processes, you might choose to use third-party CAs. Third-party CAs:

  • Allow customers a greater degree of confidence when conducting secure transactions with the organization.

  • Allow the organization to take advantage of the expertise of a professional service provider.

  • Allow the organization to use certificate-based security technology while developing an internally managed PKI.

  • Allow the organization to take advantage of the provider’s understanding of the technical, legal, and business issues associated with certificate use.

The disadvantages associated with use of third-party CAs include:

  • They typically involve a high per-certificate cost.

  • They might require the development of two different management standards, one for internally issued certificates and one for commercially issued certificates.

  • They allow less flexibility in configuring and managing certificates.

  • The organization must have access to the third-party CAs in order to access the CRLs.

  • Autoenrollment is not possible.

  • Third-party CAs allow only limited integration with the internal directories, applications, and infrastructure of the organization.

You might need to use both internal and third-party CAs. For information about using a combination of internal and third-party CAs in your organization, see "Extending Your CA Infrastructure" later in this chapter.