Recommendations for use of Policy CA in small PKI solutions

C

CJespersen

Hi

I am considering updated Pros and Cons about having Policy CA's as a
separate level in the CA hierarchy as opposed to having it in a combined role
together with issuing CA's.

In almost all the PKI cases I have been involved in so far, we only have two
or three levels in the CA hierarchy with or without HSM modules.

Three level CA solution : Offline Root, Offline Policy CA and two issuing CA's
Two level CA solution: Offline Root, Two or more Issuing CA

I am wondering if the use of the Policy CA is overkill in such rather small
designs
- if the Policy CA does not make use of qualified subordination using
policy.inf or cross-certification with other companies CA, could you say that
the use of a policy CA is overkill?
- if the Policy CA is being used with or without qualified subordination
specified in a policy.inf file, would it be ok to have the policy CA online
as part of the domain, even though it would be a standalone sub-CA. This
would make it a lot easier to manage.
- Is it possible at all to have the policy CA being standalone, non-domain
and still be able to use the qualified subordination features? It seems that
the signing of qualified subordination requires v2 templates which are
normally only available on an enterprise OS and Enterprise CA?

We typically restrict which Issuing CAs are able to issue which certificates
based on which CA's the templates are published on and together with
permissions on the templates, this is often enough, when the hierarchy is as
small as mentioned and especially when only a few number of persons
administers the CA's in a given company.

Thanks in advance for any inputs/thoughts on this subjects. Links to white
papers about the use of Policy CA's with pros and cons would be appriciated.

kind regards
Claus

--
Claus Jespersen
WM-data Denmark
 
B

Brian Komar

Some comments inline...
"CJespersen" <asktheexperts@community.nospam> wrote in message
news:17F1E581-8651-4125-9C2F-0948DCF8871A@microsoft.com...
> Hi
>
> I am considering updated Pros and Cons about having Policy CA's as a
> separate level in the CA hierarchy as opposed to having it in a combined
> role
> together with issuing CA's.
>
> In almost all the PKI cases I have been involved in so far, we only have
> two
> or three levels in the CA hierarchy with or without HSM modules.
>
> Three level CA solution : Offline Root, Offline Policy CA and two issuing
> CA's
> Two level CA solution: Offline Root, Two or more Issuing CA
>
> I am wondering if the use of the Policy CA is overkill in such rather
> small
> designs
> - if the Policy CA does not make use of qualified subordination using
> policy.inf or cross-certification with other companies CA, could you say
> that
> the use of a policy CA is overkill?

Probably

> - if the Policy CA is being used with or without qualified subordination
> specified in a policy.inf file, would it be ok to have the policy CA
> online
> as part of the domain, even though it would be a standalone sub-CA. This
> would make it a lot easier to manage.
I would rather you not deploy it at all rather than put it online. Easiness
<> security

> - Is it possible at all to have the policy CA being standalone, non-domain
> and still be able to use the qualified subordination features? It seems
> that
> the signing of qualified subordination requires v2 templates which are
> normally only available on an enterprise OS and Enterprise CA?

If you look at the whitepaper, we describe how to generate the qualified
subordination signing certificate from a standalone CA
>
> We typically restrict which Issuing CAs are able to issue which
> certificates
> based on which CA's the templates are published on and together with
> permissions on the templates, this is often enough, when the hierarchy is
> as
> small as mentioned and especially when only a few number of persons
> administers the CA's in a given company.

Yep
>
> Thanks in advance for any inputs/thoughts on this subjects. Links to white
> papers about the use of Policy CA's with pros and cons would be
> appriciated.
>
I am talking more about this in the upcoming second edition of my PKI book


> kind regards
> Claus
>
> --
> Claus Jespersen
> WM-data Denmark
>
 
C

CJespersen

Hi Brian

thanks a lot. Very useful. Just what I needed.
I am looking forward to seeing your new book.

kind regards
Claus
--
Claus Jespersen


"Brian Komar" wrote:

> Some comments inline...
> "CJespersen" <asktheexperts@community.nospam> wrote in message
> news:17F1E581-8651-4125-9C2F-0948DCF8871A@microsoft.com...
> > Hi
> >
> > I am considering updated Pros and Cons about having Policy CA's as a
> > separate level in the CA hierarchy as opposed to having it in a combined
> > role
> > together with issuing CA's.
> >
> > In almost all the PKI cases I have been involved in so far, we only have
> > two
> > or three levels in the CA hierarchy with or without HSM modules.
> >
> > Three level CA solution : Offline Root, Offline Policy CA and two issuing
> > CA's
> > Two level CA solution: Offline Root, Two or more Issuing CA
> >
> > I am wondering if the use of the Policy CA is overkill in such rather
> > small
> > designs
> > - if the Policy CA does not make use of qualified subordination using
> > policy.inf or cross-certification with other companies CA, could you say
> > that
> > the use of a policy CA is overkill?
>
> Probably
>
> > - if the Policy CA is being used with or without qualified subordination
> > specified in a policy.inf file, would it be ok to have the policy CA
> > online
> > as part of the domain, even though it would be a standalone sub-CA. This
> > would make it a lot easier to manage.
> I would rather you not deploy it at all rather than put it online. Easiness
> <> security
>
> > - Is it possible at all to have the policy CA being standalone, non-domain
> > and still be able to use the qualified subordination features? It seems
> > that
> > the signing of qualified subordination requires v2 templates which are
> > normally only available on an enterprise OS and Enterprise CA?
>
> If you look at the whitepaper, we describe how to generate the qualified
> subordination signing certificate from a standalone CA
> >
> > We typically restrict which Issuing CAs are able to issue which
> > certificates
> > based on which CA's the templates are published on and together with
> > permissions on the templates, this is often enough, when the hierarchy is
> > as
> > small as mentioned and especially when only a few number of persons
> > administers the CA's in a given company.
>
> Yep
> >
> > Thanks in advance for any inputs/thoughts on this subjects. Links to white
> > papers about the use of Policy CA's with pros and cons would be
> > appriciated.
> >
> I am talking more about this in the upcoming second edition of my PKI book
>
>
> > kind regards
> > Claus
> >
> > --
> > Claus Jespersen
> > WM-data Denmark
> >
>
 
You must log in or register to reply here.

Similar threads

T
Lack of Windows update group policy for Win 10/11 - "Reschedule Automatic Updates"
Replies
0
Views
42
Trevor Harris-A
T
R
Why is "Allow Search Highlights" removed from domain level group policy but is in local group policy? Location Computer Configuration > Administrati
Replies
0
Views
81
Rodney Hopper
R
Y
  • Article
Introducing Copilot+ PCs
Replies
0
Views
70
Yusuf Mehdi
Y
J
The Future of Windows Server Hyper-V is Bright!
Replies
0
Views
80
Jeff Woolsey
J
F
  • Article
What’s next: Microsoft Build continues the evolution and expansion of AI tools for developers
Replies
0
Views
80
Frank X. Shaw
F
Back
Top Bottom