Any advantages by running a two-level certificate solution?

[LAban24]

Hi

I'm looking into creating a two-level certificate hierarchy and I'm just
wondering, are there any advantages by running this as opposed to a
single-level CA certificate?

A three-level hierarchy (which is what Microsoft docs seem to advocate) is
an overkill for my intended use of a CA.

I want to set up a CA solution that's as secure as possible without using HW
based crypto units or a three-level CA hierarchy. That's why I am wondering
if a two-level CA hierarchy will do the job. All my issuing CA's will be
issuing the same type of certificates.

If the certificate of the issuing certificate CA is compromised, do I need
to rebuild the entire hierarchy?

Any best-practices out there for a two-level CA solution?

Other things I should be aware of?


Thanks,

L.

 

[Brian Komar \(MVP\)]

Answers inline...
"LAban24" <LAban24@discussions.microsoft.com> wrote in message
news:40D44255-8E0A-49E7-9F57-E57B7B458C29@microsoft.com...
> Hi
>
> I'm looking into creating a two-level certificate hierarchy and I'm just
> wondering, are there any advantages by running this as opposed to a
> single-level CA certificate?
I would look at my PKI book to review the different design decisions between
a single and two tiered hierarchy.
A three-tiered is not for every organization.

>
> A three-level hierarchy (which is what Microsoft docs seem to advocate) is
> an overkill for my intended use of a CA.
Most likely, but you do not provide any information so who knows.

>
> I want to set up a CA solution that's as secure as possible without using
> HW
> based crypto units or a three-level CA hierarchy. That's why I am
> wondering
> if a two-level CA hierarchy will do the job. All my issuing CA's will be
> issuing the same type of certificates.
Without HW crypto, it will not be extremely secure. The number of levels of
a hierarchy have very little to do with security and more to do with policy.

>
> If the certificate of the issuing certificate CA is compromised, do I need
> to rebuild the entire hierarchy?
>
No, you only need to revoke all certs issued by that CA.

> Any best-practices out there for a two-level CA solution?
>
I cover this in both my 2003 and 2008 PKI books

> Other things I should be aware of?
>

I think you need to spend more time on design. Design should come up with
how many tiers you need, whether you need HW crypto.
You are putting these are requirements, and they are results of the design
exercise.
>
> Thanks,
>
> L.

 

[Bendji]

Hi L.

Microsoft has created a really good guide for a two level hierarchy:

http://www.microsoft.com/downloads/...B3-010B-47E7-B234-A27CDA291DAD&displaylang=en

The link is to a case where MS is making a solution for Wireless access and
is going through all the steps for a PKI design and implementation. It’s one
of my favorite papers from MS about PKI. There is both pro and cons about
the hierarchy and why they build it as they do.
If you combine this with the best practice and blueprint guides for PKI from
MS you should be well on your way.
Hope this helps.

Bedst Regards,
Benjamin

"LAban24" wrote:

> Hi
>
> I'm looking into creating a two-level certificate hierarchy and I'm just
> wondering, are there any advantages by running this as opposed to a
> single-level CA certificate?
>
> A three-level hierarchy (which is what Microsoft docs seem to advocate) is
> an overkill for my intended use of a CA.
>
> I want to set up a CA solution that's as secure as possible without using HW
> based crypto units or a three-level CA hierarchy. That's why I am wondering
> if a two-level CA hierarchy will do the job. All my issuing CA's will be
> issuing the same type of certificates.
>
> If the certificate of the issuing certificate CA is compromised, do I need
> to rebuild the entire hierarchy?
>
> Any best-practices out there for a two-level CA solution?
>
> Other things I should be aware of?
>
>
> Thanks,
>
> L.