A common question may arise during a two-level certificate authority hierarchy planning state:
What are the advantages of using two-level certificate authority hierarchy model.
To summarize the main advantages of using two-level certificate authority hierarchy model we can count five main advantages:
1. Performance & Scalability & Redundancy
Using multiple Subordinate CA/Intermediate CA allow the organization to split the load of processing of PKI tasks to multiple
server. By using multiple Subordinate CA/Intermediate CA the organization can provides answer to a common scenarios like:
a. Failure of one (or more) Subordinate CA/Intermediate CA server wouldn’t reduce the availability of the PKI service in the organization.
b. By installing Subordinate CA/Intermediate CA in each Active Directory site, users and/or computers digital certificates would be issue/renew from the nearest Subordinate CA/Intermediate CA & not over slow WAN lines.
c. By installation multiple Subordinate CA/Intermediate CA the total load on each Subordinate CA/Intermediate CA would be reduced. Reducing the load of each Subordinate CA/Intermediate CA would allow the the organization to answer to the SLA (Service Level Agreement) requirements for issue & renewing digital certificates.
In many organizations using PKI for common legal tasks, like signing documents, allow SSL/TLS access for payment systems, etc..
Usually each organization publish two legal documents to his customers/end users that cover legal & service issues:
-Certificate policy (CP)
-Certificate practice statement (CPS)
Each CA can contain only a single Certificate policy (CP) document & a single Certificate practice statement (CPS) document.
In case that the organization need to publish a multiple versions of Certificate policy (CP) document & a a multiple versions Certificate practice statement (CPS) document – additional Subordinate CA/Intermediate CA would be needed.
In case that a separate Auditing may need to implemented, using a multiple Subordinate CA/Intermediate CA may allow you to answer to this requirement.
4. SOD – Separation Of Duties
By using multiple Subordinate CA/Intermediate CA the organization can provides answer to a common scenarios like:
a. Allow each IT team to mange his unique Subordinate CA/Intermediate CA.
b. Reduce the exposure of each IT team to digital certificates that shouldn’t be manage by this IT team.
c. Allow each Subordinate CA/Intermediate to use only a specific Certificate Templates.
5. Reducing the impact of compromise Subordinate CA/Intermediate CA / Subordinate CA/Intermediate CA theft
By using multiple Subordinate CA/Intermediate CA the organization the impact of compromise Subordinate CA/Intermediate CA and/or Subordinate CA/Intermediate CA theft – may be less drastic to the organization.
For further information please review: