After you have made the decision as to which root CA you are going to employ, you should determine what each of the other CA's functions will be. This should include the primary role of the CA, the type of certificates the CA can issue, and the individuals who can receive each certificate type. If you are working in a small organization, the root level CA may do it all. In a large organization, you will have a number of CAs and each will have a defined function. For example, one CA might be responsible for smart card logon, while another might work with IP Security, code signing, or other types of services.
Once you have the roles defined, it is important to establish standards for certificate revocation and renewal. The certificate revocation standard has to define procedures to revoke certificates that are inappropriately used, or that have simply expired. This can include establishing the certification revocation list (CRL) and CRL publishing standards.
The standards for renewal should cover whether or not to renew certificates at all. If you do renew them, you should specify which certificate types are safe for renewal. Finally, you establish when it is appropriate to renew each type of certificate.
Was this article helpful?