Recommendations for use of Policy CA in small PKI solutions

C

CJespersen

Hi

I am considering updated Pros and Cons about having Policy CA's as a
separate level in the CA hierarchy as opposed to having it in a combined role
together with issuing CA's.

In almost all the PKI cases I have been involved in so far, we only have two
or three levels in the CA hierarchy with or without HSM modules.

Three level CA solution : Offline Root, Offline Policy CA and two issuing CA's
Two level CA solution: Offline Root, Two or more Issuing CA

I am wondering if the use of the Policy CA is overkill in such rather small
designs
- if the Policy CA does not make use of qualified subordination using
policy.inf or cross-certification with other companies CA, could you say that
the use of a policy CA is overkill?
- if the Policy CA is being used with or without qualified subordination
specified in a policy.inf file, would it be ok to have the policy CA online
as part of the domain, even though it would be a standalone sub-CA. This
would make it a lot easier to manage.
- Is it possible at all to have the policy CA being standalone, non-domain
and still be able to use the qualified subordination features? It seems that
the signing of qualified subordination requires v2 templates which are
normally only available on an enterprise OS and Enterprise CA?

We typically restrict which Issuing CAs are able to issue which certificates
based on which CA's the templates are published on and together with
permissions on the templates, this is often enough, when the hierarchy is as
small as mentioned and especially when only a few number of persons
administers the CA's in a given company.

Thanks in advance for any inputs/thoughts on this subjects. Links to white
papers about the use of Policy CA's with pros and cons would be appriciated.

kind regards
Claus

--
Claus Jespersen
WM-data Denmark
 
B

Brian Komar

Some comments inline...
"CJespersen" <asktheexperts@community.nospam> wrote in message
news:17F1E581-8651-4125-9C2F-0948DCF8871A@microsoft.com...
> Hi
>
> I am considering updated Pros and Cons about having Policy CA's as a
> separate level in the CA hierarchy as opposed to having it in a combined
> role
> together with issuing CA's.
>
> In almost all the PKI cases I have been involved in so far, we only have
> two
> or three levels in the CA hierarchy with or without HSM modules.
>
> Three level CA solution : Offline Root, Offline Policy CA and two issuing
> CA's
> Two level CA solution: Offline Root, Two or more Issuing CA
>
> I am wondering if the use of the Policy CA is overkill in such rather
> small
> designs
> - if the Policy CA does not make use of qualified subordination using
> policy.inf or cross-certification with other companies CA, could you say
> that
> the use of a policy CA is overkill?

Probably

> - if the Policy CA is being used with or without qualified subordination
> specified in a policy.inf file, would it be ok to have the policy CA
> online
> as part of the domain, even though it would be a standalone sub-CA. This
> would make it a lot easier to manage.
I would rather you not deploy it at all rather than put it online. Easiness
<> security

> - Is it possible at all to have the policy CA being standalone, non-domain
> and still be able to use the qualified subordination features? It seems
> that
> the signing of qualified subordination requires v2 templates which are
> normally only available on an enterprise OS and Enterprise CA?

If you look at the whitepaper, we describe how to generate the qualified
subordination signing certificate from a standalone CA
>
> We typically restrict which Issuing CAs are able to issue which
> certificates
> based on which CA's the templates are published on and together with
> permissions on the templates, this is often enough, when the hierarchy is
> as
> small as mentioned and especially when only a few number of persons
> administers the CA's in a given company.

Yep
>
> Thanks in advance for any inputs/thoughts on this subjects. Links to white
> papers about the use of Policy CA's with pros and cons would be
> appriciated.
>
I am talking more about this in the upcoming second edition of my PKI book


> kind regards
> Claus
>
> --
> Claus Jespersen
> WM-data Denmark
>
 
C

CJespersen

Hi Brian

thanks a lot. Very useful. Just what I needed.
I am looking forward to seeing your new book.

kind regards
Claus
--
Claus Jespersen


"Brian Komar" wrote:

> Some comments inline...
> "CJespersen" <asktheexperts@community.nospam> wrote in message
> news:17F1E581-8651-4125-9C2F-0948DCF8871A@microsoft.com...
> > Hi
> >
> > I am considering updated Pros and Cons about having Policy CA's as a
> > separate level in the CA hierarchy as opposed to having it in a combined
> > role
> > together with issuing CA's.
> >
> > In almost all the PKI cases I have been involved in so far, we only have
> > two
> > or three levels in the CA hierarchy with or without HSM modules.
> >
> > Three level CA solution : Offline Root, Offline Policy CA and two issuing
> > CA's
> > Two level CA solution: Offline Root, Two or more Issuing CA
> >
> > I am wondering if the use of the Policy CA is overkill in such rather
> > small
> > designs
> > - if the Policy CA does not make use of qualified subordination using
> > policy.inf or cross-certification with other companies CA, could you say
> > that
> > the use of a policy CA is overkill?
>
> Probably
>
> > - if the Policy CA is being used with or without qualified subordination
> > specified in a policy.inf file, would it be ok to have the policy CA
> > online
> > as part of the domain, even though it would be a standalone sub-CA. This
> > would make it a lot easier to manage.
> I would rather you not deploy it at all rather than put it online. Easiness
> <> security
>
> > - Is it possible at all to have the policy CA being standalone, non-domain
> > and still be able to use the qualified subordination features? It seems
> > that
> > the signing of qualified subordination requires v2 templates which are
> > normally only available on an enterprise OS and Enterprise CA?
>
> If you look at the whitepaper, we describe how to generate the qualified
> subordination signing certificate from a standalone CA
> >
> > We typically restrict which Issuing CAs are able to issue which
> > certificates
> > based on which CA's the templates are published on and together with
> > permissions on the templates, this is often enough, when the hierarchy is
> > as
> > small as mentioned and especially when only a few number of persons
> > administers the CA's in a given company.
>
> Yep
> >
> > Thanks in advance for any inputs/thoughts on this subjects. Links to white
> > papers about the use of Policy CA's with pros and cons would be
> > appriciated.
> >
> I am talking more about this in the upcoming second edition of my PKI book
>
>
> > kind regards
> > Claus
> >
> > --
> > Claus Jespersen
> > WM-data Denmark
> >
>
 
You must log in or register to reply here.

Similar threads

D
MS CS with Yubihsm2 - The device that is required by this cryptographic provider is not ready for use. 0x880090030 (-2146893776 NTE_DEVICE_NOT_READY)
Replies
0
Views
11
D0611
D
T
Lack of Windows update group policy for Win 10/11 - "Reschedule Automatic Updates"
Replies
0
Views
58
Trevor Harris-A
T
R
Why is "Allow Search Highlights" removed from domain level group policy but is in local group policy? Location Computer Configuration > Administrati
Replies
0
Views
89
Rodney Hopper
R
R
I cannot log in to either Microsoft store or my Xbox app, a small grey window named "sign in" appears for a couple of seconds then disappears.
Replies
0
Views
24
rob noble1
R
Y
  • Article
Introducing Copilot+ PCs
Replies
0
Views
91
Yusuf Mehdi
Y
Back
Top Bottom