Information Technology Reference
In-Depth Information
Online and Offline CAs
A CA server is a critical component in a network's security. If a CA is compromised, all certifi-
cates the CA has issued are also compromised and must be revoked immediately. Given the crit-
ical nature of servers acting as CAs, it's common practice to run one or more servers in the CA
hierarchy in offline mode.
An offline CA isn't connected to the network, which makes it less vulnerable to attacks.
However, all certificates and CRLs must be distributed with removable media. In a small net-
work, using removable media to process certificate transactions works fine, but in a large net-
work, depending on an offline CA for all your certificate needs isn't practical. Typically, when a
hierarchy of CAs is necessary, a mix of offline and online CAs is used.
The root CA is the most critical and is the server typically configured for offline operation.
An offline CA must also be a standalone CA. The root CA issues certificates only to CAs in the
next level of the hierarchy that can be accommodated by using removable media. The next sec-
tion on CA hierarchies discusses this concept in more detail.
Creating a CA Hierarchy
A small organization might require only a root CA if certificate requirements are modest. Large
organizations, however, might want to create a hierarchy of CAs, consisting of a root CA, inter-
mediate CAs, and issuing CAs. A CA hierarchy is used to distribute the load placed on CA
servers and augment security.
The root CA is the first CA installed in a network. If the root CA is an enterprise CA, its
certificate is distributed to clients automatically via group policies. If it's a standalone CA,
manual configuration of group policies is required to distribute its certificate. In either case, after
clients are configured to trust the root CA's certificate, they also trust the certificate of any CA
that's subordinate to the root. Administrators can use this fact to create a hierarchy that insu-
lates the root CA from network exposure. This hierarchical arrangement is how you can oper-
ate a root CA in offline mode. The root CA needs to grant issuing certificates only to subordinate
CAs, which are trusted by the clients to which they issue access certificates.
Depending on an organization's needs, a CA hierarchy can be single-level, consisting of only
the root CA; two-level, consisting of the root CA and one or more issuing CAs; or three-level, con-
sisting of the root CA, one or more intermediate CAs, and one or more issuing CAs. Figure 11-2
shows two-level and three-level hierarchies.
11
Root CA
standalone/offline
Root CA
standalone/offline
Issuing
enterprise CA
Issuing
enterprise CA
Issuing
standalone CA
Intermediate
standalone CA
Intermediate
standalone CA
Issuing
enterprise CA
Issuing
enterprise CA
Issuing
enterprise CA
Issuing
standalone CA
Figure 11-2
Two-level and three-level CA hierarchies
 
Search WWH ::




Custom Search