Would love to hear back from Komar or VadimsBeen tasked with implementing a 2008 R2 PKI for our organization of 5,000 users and computers geographically based in US. Going to be 2 tier system. There is not a application specific driving force for this but the PKI will provide the foundation for many upcoming projects. We will be using it for SSL certs, Software code signing, user and machine certs for wireless, port based auth and Digital signatures. Questions are.1. We have been thinking about making it globally trusted by having the issuing CA signed by someone like globalsign. If you were implementing a new PKI for a 5,000 firm org would you build it as a globally trusted one. I dont think the cost is a deciding factor, were just trying to determing if it is worth it. We know we would need a HSM and have already spoken with ncipher and Safenet. The only advantages I can think of right now are (a.) dont have to worry about maintaing the root cert, (b.) able to issue external SSL certificates (c.) user's certs for Digital Signing could be validated outside the organization, (d.) don't have to import the root cert into AD. Am I missing anything? a. Considering the above and if you had the option, would you recommend making it globally trusted, it's more work initially but is it worth it in the long run?2. Would one Issuing CA be sufficient for 5,000 users and computers. It would be a Dell r710, 2 quad core Xeon's 2.4 ghz proc, 8 gig memory with 6 300 gig hard drives configured as 2 for Raid 1 for OS and CA log, and 3 Raid 5 for CA database with 1 drive for hot standby if we went physical. 3. Would you recommend clustering the server for DR or just configuring a backup issuing CA in another datacenter. 4. Should we consider virtuallizing the server. We have a VMware infrastructure, but were leaning towards physical because of the server role, but if it's not a big deal would consider virtual, we would just need to get a Network based HSM if we made it publically trusted in the question above. Your wisdom and feedback is great appreciated. Owen

Here are my thoughts:1) While the external root is great for SSL and code signing, I do not have a warm fuzzy feeling when it comes to smart card logon, EAP/TLS, EFS, and other internal user only certificates. By using a commercial root, it is possible for another organization to get a certificate that is trusted in your organization for apps.Root signing by a commercial root really is great as a cost savings measure when an organization needs to cut down the costs of purchasing individual S/MIME,SSL, Code signing certificates.2) Yes, it should be fine for 5000 users/computers3) Clustering really only becomes necessary (to me) when you have a lot of archived private keys (which is not in your deployment), You would do better potentially by having a second CA at a remote site.4) Virtual or physical would be fine.HSM is really important no matter which way you go IMHOBrian

Brian, Thanks for your response. Due to the small quanity of external SSL certificates and not having a requirement for S/MIME and only needing to sign internal code, I think it makes more sense based on your feedback to forgo the publically trusted external root. We do have a need for some adobe files to be digitally signed externally but that is separate anyway because of Adobe's CDS. So with that being said we will proceed with an internal PKI for now. If we ever have the need for tons more externall SSl or S/MIME we can look at it then. This brings me to just a couple more questions:1. So I think we will go internal 2 tier system with offline standalone root and online 2008 enterprise Issuing CA. (do you still recommend 2 tier or can we forgo the offline root, I read someone recommending that but I didn't think it was best practice!)2. If it's 2 tier, we will use HSM for both standalone Root and Issuing CA, do I need to use a HSM for the OCSP online responder web servers, if so it seems to make financial sense to get a network HSM like a Luna SA, instead of individual PCI HSM cards. I believe you need a HSM for the Online repsonder signing certificate correct?3. If the answer to 2 above is we need a HSM for the online responder which means we will get a network HSM, it makes sense to go Virtual on the online Enterprise Issuing CA, saving the 9,000 on a physical server. Do you have a recommendation on a virtual set up of the online Issuing CA for our 5,000 user\computer org, i.e. amount of memory and disk space configuration. 4. Lastly, should I take the time to get a free OID from IANA or buy one from ANSI instead of using the private one generated from the GUID, not sure if we will use PKI in other organzations, but would rather have the ability in the near future if we need to do so with some partners we work with. If you recommend getting one, is there a benefit to the free one vs buying one. Thanks so much in advance, my nose has been buried deep in your book and love reading it, but this is our first one and you have the expertise. Appreciate all feedback and recommendations.Owen

1) I would stick with two tier.2) It is your choice to use an HSM for the Online Responder. It is not a requirement to use the netHSM, but it is a pretty trusted certificate (the OCSP Response Signing)3) I do not have sizing guidance. Look to MS for this information4) Either buy from ANSI or get a free one from IANA rather than using a private GUID (which actually belongs to MS). They are equal IMHO. I really do not care if it begins with 1.3.6.1.4.1 or 2.16.840.Brian

If you will plan to setup CA on VM, consider the max load to server. In the worst case clients may request up to 5,000 certificates per day or less (in case if general purpose certificates will be issued via autoenrollment). You must inspect the following general component impact to CA perfromance:http://technet.microsoft.com/en-us/library/cc778985(WS.10).aspxAlso there are some interesting tests with CAs on VMs (just to compare with your planned load):http://blogs.technet.com/wincat/archive/2009/08/10/scale-testing-the-world-s-largest-pki-all-running-on-ws08r2-and-hyper-v.aspxhttp://www.sysadmins.lv