No announcement yet.

Certificate Authority Three Tier Hierarchy CONFUSION

  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Authority Three Tier Hierarchy CONFUSION

    I am trying to setup a Three Tier Windows 2003 PKI Hierarchy ( practice stuff ),
    consisting of Offline Root CA > Offine SubOrdinate CA > Online Issuing CA ( as specified by Microsoft PKI Best Practices Thumb RULE )

    1) Why Subordinate CA is referred to as POLICY CA ? i read that POLICY CA defines issuance policies that the lower level CA must adhere to, but i am not to able to view that ISSUANCE Policy Anywhere. can we view that ISSUANCE POLICY

    2) Why do we need to setup multiple SubOrdinate CA or Policy CA , if we are in case of geographical Dispertion or say under any kind of ISOLATION requirement ?

    3) What are Application and Issuance Policies ? a bit more plain english reference PLZ

    3) What is use of AIA ( Authority Information Access ) ? i read that it is helpful for Clients who need to verify Certificate Trust Chain by publishing a valid URL Location , where the CLIENTS can find the valid certificate which was advertised in AIA URL PATH
    ... but suppose if i had added / Published ROOTCA Certificate in Group Policy, so that DOMAIN CLIENT Machines automatically get the our ROOTCA Certificate , then would the ROOTCA AIA PATH be of any use ?

    Wud be adding more Questions later , FTW following
    OS ... VirTuaLiZaTioN ... MaxiMuS ... Fair, Good, Better, Best

  • #2
    Re: Certificate Authority Three Tier Hierarchy CONFUSION

    1. Check the Properties > Policy Module tab on the Sub CA.

    2. It depends on business needs. If you're asking that question then you don't need multiple Sub CAs. Most folks have a single CA, if you're serious about security then two tiers come into play. Three tier and beyond is only for huge infrastructures.

    3. Basically its a custom field in a Certificate that can be used to provide more granular control when it comes to authentication/authorization.

    4. Lookup CRL vs OSCP. CRL is a older method for verifiying certificates, its slower and results may be outdated. OSCP allows live queries.

    Also PKI is a standard, it works outside Active Directory. You may be able to update things using GPO but when it comes to the public it happens over HTTP using the URL in the AIA field.