Implementing a Public Key Infrastructure (PKI), Windows Server 2003, Part I - Defining CA types

(Page 2 of 4 )

Before moving into technical details, we need to decide the type of CA we want to implement. For further information on choosing a PKI architecture, you can read my previously published article “PKI Architectures—Which one best suits you” (http://www.devshed.com/c/a/Security/PKI-Architectures-How-to-Choose-One/).

Microsoft Certificate Services offer two types of CAs: enterprise CAs and stand-alone CAs. Each CA can be implemented as an online or offline CA. This decision is based on the sensitivity of the requirements; the stronger the security level needed, the less accessible the CA should be. The best practice is to place the stand-alone root CA offline because it is a single point of trust (if the root CA is compromised, it results in the compromisation of the entire PKI). Intermediate CAs are typically configured as offline as well. Online CAs are typically issuing CAs as they respond to certificate requests. Every Enterprise CA must be an online CA, since it requires connectivity to Active Directory at all times to obtain configuration information, validate requests, and publish certificates. However, you have to take into consideration that an online CA is subjected to a greater risk due to the network connectivity and continuous availability.

The following table lists a set of comparison criteria between the stand-alone CA and the Enterprise CA in order to help you decide what CA type is best for your organization.

Comparison Criteria	Stand-alone CA	Enterprise CA
Active Directory support	It issues certificates to users outside of an Active Directory environment. However, CA configuration can be published into Active Directory.	It must be a member of a Windows 2000 or Windows Server 2003 Active directory domain.
Identification of user when requesting a certificate	Identification information is captured through the Web enrollment interface.	User identification information is always automatically retrieved from Active Directory.
Enrollment	Web Enrollment -- You cannot apply the enrollment method (automatic or pending) on individual templates.	Web Enrollment or Certificates MMC (Microsoft Management Console) -- You can individually set the enrollment method (automatic or pending) on each template.
Issuing	Certificates are manually approved. -- Issue certificates based on predefined certificate template.	Certificates are manually approved or they are approved through Active Directory authentication. -- Can issue certificates based on customized certificate templates.
Installation	Can be installed on a domain controller, member server, or stand-alone server (workgroup member).	Can be installed on a domain controller or a member server (the CA is registered as a forest resource). It must not be installed on a stand-alone server (workgroup member).

Next: Installing Microsoft Certificate Services >>
 

More Windows Security Articles
More By Eliana Stavrou

Comments On: Implementing a PKI, Windows 2003

· Hi to all readers,thank you for stopping by my article. As you can read in the...   >>> Post your comment now!