Certificate Authorities
cbriant
Member Posts: 59 ■■□□□□□□□□
Hi,
I am struggling with the CA part of this MCP. Please could someone explain the differences between root CAs and Subordinate CAs? I understand them as far as the root CA is the lowest in the hierarchy and subordinates are higher up. What I don't understand is, in what situations would you use subordinate over root and why have a whole hierarchy of CAs anyway?
I understand the difference between enterprise and stand-alone in that enterprise is AD integrated where as stand-alone is not.
Chris.
I am struggling with the CA part of this MCP. Please could someone explain the differences between root CAs and Subordinate CAs? I understand them as far as the root CA is the lowest in the hierarchy and subordinates are higher up. What I don't understand is, in what situations would you use subordinate over root and why have a whole hierarchy of CAs anyway?
I understand the difference between enterprise and stand-alone in that enterprise is AD integrated where as stand-alone is not.
Chris.
Comments
-
gojericho0 Member Posts: 1,059 ■■■□□□□□□□If you only had one root CA you have a single point of failure in your PKI. Intermediate or subordinate CAs also allow you to apply different security policy to different groups of people (e.g different organizations or geographies)
http://technet2.microsoft.com/windowsserver/en/library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Security is the main concern. Ideally, the root should issue the certificates it needs to, and then be taken offline. If the root CA is compromised, no certificates in your organization could be trusted. This would obviously wreak havoc with most organizations. Leaving one server offline is much cheaper than having to reissue certificates to thousands of users and devices, not to mention the cost of a security compromise. This type of setup is obviously impractical in a small business of 20 users, and is intended for medium-to-large businesses.
The subordinate CAs are the ones that actually issue certificates to clients. In larger organizations, the root CA issues to intermediate CAs (which are subordinate to the root), which in turn issues certificates to the subordinate CAs, which finally issue certificates to the clients. Intermediate CAs may be created for each geographic area (i.e. USA, Europe, etc.), for each type of certificate (i.e. EFS, SSL, etc.), or whatever other grouping makes sense for the organization.
The hierarchy is used for security (i.e. if one intermediate CA is compromised, you would only have to reissue certificates from that CA), for performance (i.e. either a single server being overwhelmed with requests or something like a slow WAN link), and for ease of administration (i.e. you can delegate control to different individuals, such as by giving one person control of the EFS certificates).
Hopefully that's all correct. I'm still working on this myself -
Claymoore Member Posts: 1,637The Windows Server 2003 PKI and Certificate Security book is an excellent resource for understanding certificates on the 293 exam. Honestly, I only read about the first third of it but it still really helped me.