The Benefits Of Two-Level Certificate Authority Hierarchy

August 16, 2013

2 comments

A common question may arise during a two-level certificate authority hierarchy planning state:

What are the advantages of using two-level certificate authority hierarchy model.

To summarize the main advantages of using two-level certificate authority hierarchy model we can count five main advantages:

1. Performance & Scalability & Redundancy

Using multiple Subordinate CA/Intermediate CA allow the organization to split the load of processing of PKI tasks to multiple

server. By using multiple Subordinate CA/Intermediate CA the organization can provides answer to a common scenarios like:

a. Failure of one (or more) Subordinate CA/Intermediate CA server wouldn’t reduce the availability of the PKI service in the organization.

b. By installing Subordinate CA/Intermediate CA in each Active Directory site, users and/or computers digital certificates would be issue/renew from the nearest Subordinate CA/Intermediate CA & not over slow WAN lines.

c. By installation multiple Subordinate CA/Intermediate CA the total load on each Subordinate CA/Intermediate CA would be reduced. Reducing the load of each Subordinate CA/Intermediate CA would allow the the organization to answer to the SLA (Service Level Agreement) requirements for issue & renewing digital certificates.

2. Legalization

In many organizations using PKI for common legal tasks, like signing documents, allow SSL/TLS access for payment systems, etc..

Usually each organization publish two legal documents to his customers/end users that cover legal & service issues:

-Certificate policy (CP)

-Certificate practice statement (CPS)

Each CA can contain only a single Certificate policy (CP) document & a single Certificate practice statement (CPS) document.

In case that the organization need to publish a multiple versions of Certificate policy (CP) document & a a multiple versions Certificate practice statement (CPS) document – additional Subordinate CA/Intermediate CA would be needed.

3. Auditing

In case that a separate Auditing may need to implemented, using a multiple Subordinate CA/Intermediate CA may allow you to answer to this requirement. 

4. SOD – Separation Of Duties

By using multiple Subordinate CA/Intermediate CA the organization can provides answer to a common scenarios like:

a. Allow each IT team to mange his unique Subordinate CA/Intermediate CA.

b. Reduce the exposure of each IT team to digital certificates that shouldn’t be manage by this IT team.

c. Allow each Subordinate CA/Intermediate to use only a specific Certificate Templates.

5. Reducing the impact of compromise Subordinate CA/Intermediate CA / Subordinate CA/Intermediate CA theft

By using multiple Subordinate CA/Intermediate CA the organization the impact of compromise Subordinate CA/Intermediate CA and/or Subordinate CA/Intermediate CA theft – may be less drastic to the organization.

For further information please review:

9.6 Planning Your Private Certification Hierarchy

Installing a Two Tier PKI Hierarchy in Windows Server 2012 Wrap Up

Add comment
facebook linkedin twitter email

Leave a Reply

2 comments

  1. BrittSeptember 10, 2013 ב 09:48

    I like your website and thought I would share the service I use to get tons of website visitors. http://gmbal.com/109y I am very happy with the traffic that I receive from their company and I would recommend them to any webmaster.

  2. 足球水位什么意思October 29, 2013 ב 02:12

    0的预言终于证明了!任何手机用自带的计算器,用0除以.0,手机将会直接显示机主姓名。目前没有任何专家可以解释这一现象。很灵异,很惊悚,很暴力!