Join Log in
Score:0
Santyuste avatar Server

PKI hierarchy. Root CA CAand subordinate

fr flag
Santyuste

I have to deploy a new PKI hierarchy I have one domain and several subdomains I had thought about having a Root CA and a Sub CA.

What are the advantages of this option over having a root CA only?

Do you advise that the Root CA and the Sub CA should be of type "Enterprise" or would it be better to have the Root CA of type Standard and keep it off and the Sub CA of type Enterprise?

Thanks

125
1 + 0
pki
Score:1
Bombaci avatar Server
br flag
Bombaci

Deploying a Root CA and a Sub CA provides both security and convenience benefits over just using a Root CA.

Root CA only (One-Tier Hierarchy):

This option is not recommended for production

A one-tier hierarchy simply involves a single entity called the Certificate Authority (CA). This CA wears two hats. The single CA is both a root CA and the issuing CA. Its public key becomes the starting point of trust – so, if you trust this root CA, you'd trust any certificates that it and its hierarchy issues. A compromise of this single CA would mean a compromise of the whole PKI!

Having a Root CA and a Sub CA (Two-Tier Hierarchy):

Over the years in my career, I've observed that this solution is the one most commonly implemented by companies. It provides a middle ground between the One-Tier and Three-Tier Hierarchies. With this setup, you keep the Root CA offline and let the Sub CA handle the issuing of certificates. This strategy reduces the exposure of your Root CA to potential attacks. This hierarchy also increases scalability beyond what's offered by the One-Tier Hierarchy since you can create multiple subs for different departments, sister companies, etc.

Considering all this, my recommendation aligns with your final suggestion: keep the Root CA as Standard and keep it off, while designating the Sub CA as an Enterprise type.

Microsoft has a very in-depth writing about this called: Securing PKI: Planning a CA Hierarchy
This writing also explains the Three-Tier Hierarchy.

Answers to good questions:

Is it possible to make an Enterprise CA subordianda of a "standard" CA?

Yes, it is possible to make the Enterprise CA a sub of your Root CA, this is an actually a very common practice.

If I keep the "standard" Root CA turned off, when should I turn it on, only when renewing the certificate of the SubCA or every time I have to issue a certificate?

The sub CA can issue certificates without needing the Root CA to be online. The Root CA only needs to be brought back online to issue a new certificate/renew the sub CA. Once the new certificate is issued/renewed, the Root CA can be taken offline again.

Similarly, if you need to revoke the sub CA (for example, if it has been compromised), you also must bring the Root CA back online. This is because the Root CA maintains the CRL (Certificate Revocation List) of all sub CAs that it has signed. However, keep in mind that revoking the sub CA will also make all certificates invalid that were issued by the sub CA.

A very sharp addition of @Massimo:

Please also note that you must still make available (and periodically update) the Certificate Revocation List (CRL) for the root CA; most certificate checks will fail if the CRL is not available for the root CA, or if it's available but it's too old. If you want to use an offline root CA, this is something you need to plan for.

+ 6
Santyuste avatar
fr flag
Santyuste
Thank you for your response. Regarding this I have some doubts of implementation. Is it possible to make an Enterprise CA subordianda of a "standard" CA? If I keep the "standard" Root CA turned off, when should I turn it on, only when renewing the certificate of the SubCA or every time I have to issue a certificate?
0
Reply
Bombaci avatar
br flag
Bombaci
@Santyuste, I just updated the answer, answering your questions.
0
Reply
Massimo avatar
ng flag
Massimo
Please also note that you must still make available (and periodically update) the Certificate Revocation List (CRL) for the root CA; most certificate checks will fail if the CRL is not available for the root CA, or if it's available but it's too old. If you want to use an offline root CA, this is something you need to plan for.
1
Reply
cn flag
Greg Askew
@Santyuste: You keep the hard drives for the root CA in a safe. You take them out when you perform disaster recovery testing or more often if you need it for other functions such as turning up/down issuing CA's.
0
Reply
Santyuste avatar
fr flag
Santyuste
So the root CA, being standard and having to be switched off, should not be joined to the domain and remain in a workgroup. On the contrary, the Subca enterprise should be joined to the domain. Is this true?
0
Reply
Bombaci avatar
br flag
Bombaci
@Santyuste exactly, the RootCA should be protected by any means. It is like a plug in a tub, if you pull it everything (signed by it) will go down the drain.The SubCA, CAN be joined in the domain, but for the sake of easy managenent and automation (automated cert enrollment) you should.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.