■ An offline root CA installed as a standalone root CA.
■ One or more offline policy CAs installed as standalone subordinate CAs.
■ One or more issuing CAs installed as enterprise subordinate CAs or occasionally as subordinate standalone CAs.
A three-tier hierarchy is recommended in the following scenarios:
■ Strong physical security of the CA hierarchy is mandated by the security policy. The removal of the root and policy CA tiers from the network protects computers from network-sourced attacks.
■ Two or more different certificate policies are required for certificate issuance. The policy CA tier allows you to define different certificate practice statements (CPSs) and related certificate policies at each policy CA defined at the second tier.
Note The design of issuing CAs is discussed in more detail later in this chapter.
■ Management of the CA hierarchy is split among different network administration teams—for example, one PKI management team manages the Europe CAs, while a separate team manages the Asia CAs. In this scenario, each team is responsible for defining the CPS for their policy CAs. (See Chapter 3 for a review of defining the CPS.)
Note Remember that a CPS is effective at the CA where the CPS is defined in the CA certificate, as well as at any CAs that are subordinate to that CA in the hierarchy.
Was this article helpful?