|
Posted by Steven L Umbach on September 13, 2005, 6:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
That is a decision you have to make based on the security needs of your
organization, what PKI is used for, and how important PKI is to it your
existence and reputation. Usually the subordinate is recommended so that the
root CA can be kept offline to protect the integrity of your PKI. The more
complex your PKI structure is and more you and your customers/partners rely
on it the more important it would be to consider an offline CA. If the root
CA is compromised then your whole CA hierarchy that uses that root CA is
compromised. If you have an offline root CA and three issuing subordinates
and one of the subordinate CA's is compromised then only certificates that
subordinate CA issued are compromised. However many organizations use a
single CA for their PKI. Be sure to take steps to protect your CA such as
physically securing it, using hard to guess passwords, disable unneeded
services, enable auditing and monitor the security logs, yada yada so that
unathorized certificates are not issued. --- Steve
>I am trying to determing what advantage I will get by implementing a
> Standalone Subordinate CA to issue certificates to clients.
>
> I do not have an AD domain and I just need to issue certificates to a
> few hundred external vendors. Would it be necessary to have a
> subordinate CA or would I be just as well off with a Stand Alone Root
> CA issuing the client certs? It would also save me the cost of another
> server.
>
>>From what I can tell, I don't get any extra redundancy by having the
> sub CA, so what is its intended purpose. Can anyone give an example of
> how a sub ca could make sense in my environment?
>
> Thanks!
>
> Travis
>
| 
XML site map