Hello, I am trying to understand how PKI work, reading books and articles, but nothing helps to answer my questions, because all literature i use gives some general guidelines, but nothing specific. I hate that. So, i have several questions to ask: 1. When designing PKI hierarchy i can't understand why do i need to have different Policy CA. As far as i know what may be different is CPS, CRL publication intervals, CRL and AIA location, CA renewal and Key size. **CPS - as i understand it is just a link to a document in external location. Why do i need to have different links if i can provide the information i want in one CPS? **CRL publication intervals - ok with this one **CRL and AIA - Why do i need to have two Policy CA if i can set different CRL and AIA locations in one. **CA renewal and key size - i want to know if i can define sertificate renewal time in each certificate template why do i need different renewal settings ? 2. About key sizes. I know that some application not supporting 4096 size keys, but how to determine the difference between 1024 and 2048. Which to choose? For example what is time to crypt 1TB space using certificate with 1024 and 2048 keys? 3. How to determine how many issuing CAs i need? How it depends on network bandwidth? WAN or LAN location? Domains? If the user count in all organization is about 2000 and there are 4 different locations. 1 is central, 1 has 100mbit link, 2 has 4mbit link, and 1 VPN with 4mbit. Thank you

he he, loads of interesting questions.I have time to answer questions 3 :-)It depends on your design, you can either choose to create one issuing ca for each certificate template or let one issuing ca handle all certificate templates.If you choose the last one as I normally do, then you only need to consider multiple ca'sfor availability and scalability.So what actually happens if you only have one Issuing CA and that one goes down. In other words what PKI services is depending on the Issuing CA to be available: Service Availability Enrollment of a new certificate If a client needs to enroll a certificate, it will fail and would have to wait till the issuing CAs are available again Renewal of a certificate If automatic renewal is used, this usual occurs some weeks before expiring. Certificate revocation A certificate can only be revoked by the CA that issued it. A second CA would not help Publishing a new CRL CRL is unique to a CA. A second CA would help splitting the issued CA between two CAs to minimize the failure Renewing a CA certificate Only the CA who issued the certificate can renew it. Using two issuing CAs raises the level of availability for enrollment and ensures that clients can enroll new certificates, unless the network connection is down. To ensure a high level of availability it is advised to use two issuing CAs, but if you have no business critical applications that uses certificates, and if you have fast recovery procedure then theres no problems in using just one. (Main problem would be if you cannot renew the CRL list, which can result in applications/service unavailability, but having two Issuing CA's will not help with this).About network bandwidth a certificate is very small around 4 kb and its lifetime is normally one to two years (so the renewal traffic happens rarely and is low). If you only have to issue 2000 user certificates and computers certificates the bandwidth will be very low. The most important is that the AIA and CRL location is available if the network goes down between the locations. Hope this helps a bit, else I will see if I can explain it a bit further and perhaps answer some of the topics.But basicly I think Best Regards, Benjamin

The answer is really helpful. As i understand i need to consider availability and scalability. For availability, the best choice to have one CA per site, if network links between sites brokes and i want to have issuing CA available. For scalability there is no question because i don't have a lot of users (i have read that one ca can hold 750 000 certificates :) ) What is the reason i might need to have different CA for each needed certificate template? If each CA has its own CRL and AIA location the second CA will help only in that point that not all but half certificates could not be checked. Am i right ? I need to find answer to other two question. The main question is why to have separate Policy CA's. Benjamin, thank you for the answer.

Hi aurimask, Personal I always try to place the PKI servers in a central location or at a central datacenter. The reason for this is that they are often better protected here and the people with the skills to maintain then usually are there. The only reason to place them at a site is if your company has a really important service/application that uses certificates (like NAP which issues certificates every 15 minute) and its highly important that certificates always can be issued at the site, even if the network connection is down. Its very rare that I uses one Issuing CA for one specific certificate template, but on scenario could be that you would use one for Internal employees certificates and one Issuing CA for External Contractors certificates, or perhaps one Issuing CA is used for Encryption certificate and if you want different staff/management teams to handle each application/service. To save hardware and licenses normally I let each Issuing CA issue all certificate templates and use access lists to control who has access to them (but that depends on the business requirements). And you are correct, if you use two issuing CAs and one go down and stays down for several days and cannot renew its CRL only half the certificates cannot be checked. I always use an http distribution path for CRL and AIA like http://pki .company.com/pki and then let both the root and Issuing CAs stores publish its information here and then secondary ldap in some cases. About the Policy CA, the question might be if you need one at all?? J Im not sure I follow you in the questions about the Policy CA and why you need two or any at all. Policy CAs are often used to manage or dictate different security and operational policies between geographical areas, business units, intranet or extranet. For the CRL and AIA locations you can set on it on each CA, if you want to have separate urls or publishing Intervals. For the Certificate renewal time, you can configure it in each certificate template (when should a certificate be renew if you chose manage certificate templates and right click the template and select general. You can also set the lifetime of the certificate). Hope this helps a bit, else just let me know./Benjamin

I start to understand :) You are helping me a lot. Could you be more specific on this " Policy CAs are often used to manage or dictate different security and operational policies between geographical areas, business units, intranet or extranet". How it is connected with technical side of CA? And yes, i need to have NAP. So i need to have Issuing CA in each site?

UP. Can somebody answer first question and explain in more detail this -> "" Policy CAs are often used to manage or dictate different security and operational policies between geographical areas, business units, intranet or extranet"?

explain question 1 and 3: If your organization has multiple geographical branches (NA, SA, EU, Asia, etc), you might need multiple domains for these location. These domains will be child domains under the parent domain. Policy CA will locate in parent domain, which will manage all certificate templates. Each child domain has an issuing CA. To enforce template security policies, Enterprise Administrator edits template security permission on policy CA, grants different permissions to each issuing CA administrator (group). In this way policy CA manages different templates security policies and determines which template will be applied to which issuing CA.

Issuing CA availability only impact new certificate enrollment and certificate renewal. If you have business critical application that needs cert enrollment frequently, you'd better deploy two issuing CAs sharing load. Otherwise one issuing CA is very enough. CRL check availability is much more important. Your PKI disaster recovery procedure should care this issue very much.

I am really trying to make this TechNet Wiki article PKI Design Brief Overview a place from which we can answer the basic questions and point off to the more detailed information. http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx So, please, feel free to check out this document and add to it, if you have some basic items that people need to know. I think some of the questions are not really that basic, which is why I have links off to several other references. There are some really good articles out there and those are the ones that I want to link to for more information. However, I would like the PKI Design article to literally be a brief overview of the major considerations. Eventually, I want to pull all of this together in the TechNet Library, so we can have a good reference article there, with a link out to a "Community Version" on the TechNet Wiki. This way people searching for this information can find it quickly.

With better advanced BCP and Disaster recovery policy & practice, one can eliminate the need of 2nd issuing CA.