Hello, my organisation currently has a very new PKI environment. It is a two-tier, offline root CA. 7000 users. I have come into the organisation after original test PKI was built, and is starting to be used. I am curious as to whether best practice has been followed, and if there are any potential issues I would like to fix them before it becomes too late to make any changes. Currently PKI is used for all client pc cert (windows xp + 7), server cert (2003 + 2008), internal web server certificate, and very small amount of users use encryption. Organisation also wants to add NDES for android/apple devices, endpoint gateway, VPN etc. PKI use case seems to be mostly internal at this point, I am unsure if adding endpoint and NDES devices will require "external" revocation checking to meet best practice or if this use case could still be treated as a 100% internal PKI ? Screenshot of PKI environment here: http://i49.tinypic.com/x3frl4.png First, I am curious about Root CA containing AIA/CDP. I think I read somewhere this is not good and should not exist on Root CA, is this correct? Second, I am not sure about the CRL order for HTTP #1 vs LDAP #2 (seems odd that LDAP is order #2 ?), logically I would think if using LDAP internally it should be #1. There is some discussion in this article. http://technet.microsoft.com/nl-nl/library/cc776904(WS.10).aspx What do you think ? Also, AIA/CDP location is currently configured using internal domain name. Seems ok for now but I think this could be a big problem in future ? Especially after NDES and endpoint devices are added ? It seems best practice is common to use dns name scheme such as: http://pki.domain.com/ instead ? Third, I want to add OCSP in a HA configuration since environment is using only CRL at present. For OCSP best practice, I read that I should implement OCSP Online Responder using separate servers to the subordinate CA servers, with responder configured in an array behind an IP load balancer. So I am planning 2 x new server for Online Responder, and we have IP load balancer, does this sound ok ? Also with OCSP, I cannot find any technical information to explain WHY to use a separate server from CA ? Is this because of potential DoS attack or IIS vulnerability ? I cannot think of any other reason, and extra server does add complexity and management overhead to the environment. Microsoft did not explain this requirement very well in any documentation I can find, they only say use separate server but they do not say technical reason why, maybe somebody can help answer this ? So if using separate new server for OCSP, would it also be best practice to move CRL onto same servers ? Then leaving only web-enrollment on subordinate CA ? Can CRL / OCSP co-exist easily on same server and IIS ? Thank you :)