Any advantages by running a two-level certificate solution?

L

LAban24

Guest
Hi

I'm looking into creating a two-level certificate hierarchy and I'm just

wondering, are there any advantages by running this as opposed to a

single-level CA certificate?

A three-level hierarchy (which is what Microsoft docs seem to advocate) is

an overkill for my intended use of a CA.

I want to set up a CA solution that's as secure as possible without using HW

based crypto units or a three-level CA hierarchy. That's why I am wondering

if a two-level CA hierarchy will do the job. All my issuing CA's will be

issuing the same type of certificates.

If the certificate of the issuing certificate CA is compromised, do I need

to rebuild the entire hierarchy?

Any best-practices out there for a two-level CA solution?

Other things I should be aware of?

Thanks,

L.

 
B

Brian Komar \(MVP\)

Guest
Answers inline...

"LAban24" <LAban24@discussions.microsoft.com> wrote in message

news:40D44255-8E0A-49E7-9F57-E57B7B458C29@microsoft.com...<span style="color:blue">

> Hi

>

> I'm looking into creating a two-level certificate hierarchy and I'm just

> wondering, are there any advantages by running this as opposed to a

> single-level CA certificate?</span>

I would look at my PKI book to review the different design decisions between

a single and two tiered hierarchy.

A three-tiered is not for every organization.

<span style="color:blue">

>

> A three-level hierarchy (which is what Microsoft docs seem to advocate) is

> an overkill for my intended use of a CA.</span>

Most likely, but you do not provide any information so who knows.

<span style="color:blue">

>

> I want to set up a CA solution that's as secure as possible without using

> HW

> based crypto units or a three-level CA hierarchy. That's why I am

> wondering

> if a two-level CA hierarchy will do the job. All my issuing CA's will be

> issuing the same type of certificates.</span>

Without HW crypto, it will not be extremely secure. The number of levels of

a hierarchy have very little to do with security and more to do with policy.

<span style="color:blue">

>

> If the certificate of the issuing certificate CA is compromised, do I need

> to rebuild the entire hierarchy?

></span>

No, you only need to revoke all certs issued by that CA.

<span style="color:blue">

> Any best-practices out there for a two-level CA solution?

></span>

I cover this in both my 2003 and 2008 PKI books

<span style="color:blue">

> Other things I should be aware of?

></span>

I think you need to spend more time on design. Design should come up with

how many tiers you need, whether you need HW crypto.

You are putting these are requirements, and they are results of the design

exercise.<span style="color:blue">

>

> Thanks,

>

> L. </span>

 
B

Bendji

Guest
Hi L.

Microsoft has created a really good guide for a two level hierarchy:

http://www.microsoft.com/downloads/details...&displaylang=en

The link is to a case where MS is making a solution for Wireless access and

is going through all the steps for a PKI design and implementation. It’s one

of my favorite papers from MS about PKI. There is both pro and cons about

the hierarchy and why they build it as they do.

If you combine this with the best practice and blueprint guides for PKI from

MS you should be well on your way.

Hope this helps.

Bedst Regards,

Benjamin

"LAban24" wrote:

<span style="color:blue">

> Hi

>

> I'm looking into creating a two-level certificate hierarchy and I'm just

> wondering, are there any advantages by running this as opposed to a

> single-level CA certificate?

>

> A three-level hierarchy (which is what Microsoft docs seem to advocate) is

> an overkill for my intended use of a CA.

>

> I want to set up a CA solution that's as secure as possible without using HW

> based crypto units or a three-level CA hierarchy. That's why I am wondering

> if a two-level CA hierarchy will do the job. All my issuing CA's will be

> issuing the same type of certificates.

>

> If the certificate of the issuing certificate CA is compromised, do I need

> to rebuild the entire hierarchy?

>

> Any best-practices out there for a two-level CA solution?

>

> Other things I should be aware of?

>

>

> Thanks,

>

> L.</span>

 
You must log in or register to reply here.
Top Bottom