Using a Cross-Certification Configuration
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
With the cross-certification method for extending the CA infrastructure, neither party creates a separate PKI; instead, cross-certificates, accompanied by qualified subordination, enable communication between existing public key infrastructures of two organizations to the degree of trust that their business relationship dictates.
Cross-certification creates a shared trust between two CAs that do not share a common root CA. These CAs exchange cross-certificates that allow their organizations to communicate. In this way, the organizations do not have to create and manage additional root CAs. Cross-certification might be the best option if a common root CA for both PKIs does not exist.
Figure 16.13 shows an example of an extended CA infrastructure based on cross-certification between the root CA of organization 1 and a subordinate CA in organization 2.
Figure 16.13 Extended CA Infrastructure Based on Cross-Certification
The advantages to using cross-certification to extend the PKI include low cost and a high degree of flexibility, as you can cross-certify at any level in the hierarchy. For example, if a division of organization 2 wants to share information with all of organization 1, the division can cross-certify with the root CA of organization 1. This, however, creates a security risk, as it exposes resources in parts of the organization that are not part of the business relationship. On the other hand, if a division of organization 1 and a division of organization 2 want to share information, the two divisions can cross-certify CAs that are lower in the CA hierarchy. This option is more secure, as the other divisions of the organizations are not unnecessarily exposed.
Cross-certification requires greater administrative overhead than other methods for extending the CA infrastructure, and entails the risk that outsiders might unintentionally be given access to internal resources. If an organization becomes involved in many cross-certification relationships with different levels of trust and different applications, the management overhead can be significant.