I am working on refreshing a single Tier AD CS Deployment with an offline rootCA(Workgroup), and a single Issuing SubordinateCA within a Single Forest.

I have ran into discovery that they are currently running subordinate CAs with Websense appliances and PaloAlto Firewalls.  I am curious on deployment strategies elsewhere when running into these scenarios.  I am considering the following:

Offline RootCA

Online Subordinate Issuing CA

Hanging additional Subordinates below the EnterpriseSubordinateCAs

This will sorta create a 3-Tier Design, but allows me to keep the Offline Non-Routable from the network...as the Websense appliances need to contact the RootCA to download the CRL if we went with a strictly 2-Tier Design.

Let me know if anyone has any comments\concerns\feedback\etc.

A three tier PKI should dedicate the middle tier to handle policies, and it's generally called policy CA. In your environment, you are best to stick to a two tier model and use CApathlen constrain to lock the tiers. Then just issue tier two CA certificates to the appliances. CRL should not be a problem as long as you use HTTP CDP. Your root needs to manually publish its own CRL regardless. HTH

Thanks Zelliptic,

With a 2-Tier Model then I would be issuing SubordinateCA Certificates to the appliances from my Issuing EnterpriseSubCA?  This would allow these appliances to download CRLs from the online Issuing CA....is that what you are implying?

Let me know if that is what you are recommending....or if I am off-base.

Thanks,

or are we having the Appliances act as SubCAs in-line with the Enterprise Issuing SubCA.....and they in turn would download the CRL from the HTTP CDP?

I would then be manually copying the CRL manually to the Issuing CA....(in my case yearly) and the Websense Gateways would be downloading this CRL from the CDP?

If built properly, the root CA is never ever ever attached to the network. The CDP and AIA references in the certificates issued by the root CA would typically refer to an online server (web cluster) that is both internally and externally accessible.

So the Websense servers should never have to attach to the root CA.

You can choose then to have the websense servers submit their subordinate CA requests to the root CA (two tier) or to one of the enterprise subordinate CAs (three tiered).

It does sound like there are some potential issues in your revocation publication design 

Brian

Thanks Brian,

I think this is due to my lack of understanding of how CRL publishing functions from an Offline RootCA.  The following appears to be what I am now understanding....please correct me if I am wrong:

1) Offline RootCA(Not on network)

2) EnterpriseSubCA(Issuing CA on Windows)

a. Manually copy CRL yearly to this CA(pki.company.com) and has HTTP CDP setup

3) Request SubCAs from the RootCA for Websense Appliances

a. By default the CDP for these is set to pki.company.com

b. I have already manually copied the CRL to the Sub Issuing CA....therfore the Appliances will download this CRL from the Sub Issuing CA

Please let me know if this is correct....I definitely did not have an understanding of the CRL Publication(and I think I may know now :) )

Yes, your appliances will act as tier two issuing CAs. All your CRLs should be available on an HTTP CDP, which include your root CRL and all your issuing CA CRLs. The appliances should be able to download them automatically. BTW, your CDP doesn't have to be the issuing CA. You can use any webserver to host the HTTP CDP. HTH

Yes, you are now getting it.

Personally, I would not publish CRLs to the CAs (nor install IIS on the CAs) as it opens up too many possibilities for attack. I would have a dedicated Web cluster (maybe behind a NLB hardware device) hosting the pki.company.com Web site.

But, your logic is now correct.

Brian

Yes, your appliances will act as tier two issuing CAs. All your CRLs should be available on an HTTP CDP, which include your root CRL and all your issuing CA CRLs. The appliances should be able to download them automatically. BTW, your CDP doesn't have to be the issuing CA. You can use any webserver to host the HTTP CDP. HTH

• Proposed as answer by Alex LvMicrosoft contingent staff, Moderator 4 hours 6 minutes ago

Yes, you are now getting it.

Personally, I would not publish CRLs to the CAs (nor install IIS on the CAs) as it opens up too many possibilities for attack. I would have a dedicated Web cluster (maybe behind a NLB hardware device) hosting the pki.company.com Web site.

But, your logic is now correct.

Brian

• Proposed as answer by Alex LvMicrosoft contingent staff, Moderator 4 hours 6 minutes ago

Hi,

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

Regards.