Single or Multiple Standalone Root CA's
My organization consists of several environments: Test, Production & ProductionAcquisition. Each having the following characteristics: Test - Multi Domain Forest. Server 2003 DC's. Server 2008R2 Schema. Presently no ADCS services. Production - Multi Domain Forest. Server 2003 DC's. Server 2008R2 Schema. One-way trust with ProductionAcquisition. Has limited network connectivity to Test. Presently no ADCS services. ProductionAcquisition - Multi Domain Forest. Server 2003 DC's. Server 2008R2 Schema. One-way trust with Production. Has limited network connectivity to Test. Presently no ADCS services. We are in the planning and design phase of an Internal PKI (not for externally facing systems) and are trying to determine best practice or recommendations on whether each environment should have it's own Standalone Root CA with subordinate Enterprise Issuing CA's or have a single Root CA across all the environments with this single Root CA signing the Enterprise Issuing CA's within each environment? Our concern is that from Production and ProductionAcquisition there is limited network access to systems in the Test environment. If we implement seperate Standalone Root CA's for each environment, when a system in Production or ProductionAcquisition accesses a resource in the Test environment that is protected by a certificate (say https) they will not trust the Test environment Root CA. A single Root CA, used to sign the Enterprise Issuing CA's within each environment would reslove that issue as the Standalone Root CA would be published to each environment. Or, we could take each indivdual environments Standalone Root CA certificate and publish it to each of the other environments, which would in turn place each environments Standalone Root CA in the "Trusted Root Certificate Store" of the computers within. Or, we could Cross-Certify each environment? Looking for some help, recommendations, best practices, advice and confirmation that our concerns and theories are valid. Any feedback is greatly appreciated. Thank you, Paul
July 22nd, 2011 9:59pm

You should deploy separate root CA for test environment. For production and acquisition envicronments you can deploy single root CA and two or more subordinate CAs for each forest. If these forests require different certificate policies you may need to deploy two separate policy CAs and issuing subordinate CAs under these policy CAs. BTW, your test PKI should be separated from other PKIs to avoid test certificates usage in the production environment. If necessary you can create a strict cross certification between test and production PKIs.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2011 10:09am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics