|
Posted by Brian Komar \(MVP\) on May 12, 2008, 7:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Answers inline...
> Hi
>
> I'm looking into creating a two-level certificate hierarchy and I'm just
> wondering, are there any advantages by running this as opposed to a
> single-level CA certificate?
I would look at my PKI book to review the different design decisions between
a single and two tiered hierarchy.
A three-tiered is not for every organization.
>
> A three-level hierarchy (which is what Microsoft docs seem to advocate) is
> an overkill for my intended use of a CA.
Most likely, but you do not provide any information so who knows.
>
> I want to set up a CA solution that's as secure as possible without using
> HW
> based crypto units or a three-level CA hierarchy. That's why I am
> wondering
> if a two-level CA hierarchy will do the job. All my issuing CA's will be
> issuing the same type of certificates.
Without HW crypto, it will not be extremely secure. The number of levels of
a hierarchy have very little to do with security and more to do with policy.
>
> If the certificate of the issuing certificate CA is compromised, do I need
> to rebuild the entire hierarchy?
>
No, you only need to revoke all certs issued by that CA.
> Any best-practices out there for a two-level CA solution?
>
I cover this in both my 2003 and 2008 PKI books
> Other things I should be aware of?
>
I think you need to spend more time on design. Design should come up with
how many tiers you need, whether you need HW crypto.
You are putting these are requirements, and they are results of the design
exercise.
>
> Thanks,
>
> L.
| 
XML site map