- PKI-Root-CA for the offline root CA (there is only one)
- PKI-Sub-CA-1 for the first subordinate CA (it could also be designated as a policy or issuing CA).
- PKI-Servers = OU for servers with a PKI role.
- PKI-Admins = security group for PKI administrators
- Number of certificates (if many certificates are requested we may need more CAs)
- Availability - having more than one server is crucial here but we also need to consider reliability between sites. We may need a CA per site to ensure availability.
- Management style: if each team or each department intends to manage its own certificates, more CAs may be necessary than in a centralized environment (one team manages the PKI).
- Politics (or regulation). Legislation in the USA may be different than legislation in the EU. Multinational companies may have to consider this element.
- Applications. What systems will use the certificates: website authentication? encryption/decryption of email? Code signing? Smart Cards?
- Security. Do we need to place the root CA offline? Should we take additional measures to protect CA private keys? What determines if we approve a certificate request or not?
- Business. What will the PKI cost? To what extent can we minimize cost while providing expected level of service? What is our liability in case of certificate compromission?
- External. If we want to interact with a partner organization or a government, there are other considerations.
- Technical (administration):
- Who will manage the PKI?
- Will there be separation of roles?
- What kind of storage will be use for the CAs?
- What key length will we use (1024, 2048, 4096)? As a general rule, longer key is more secure but requires more computing power. 2048 in currently the recommended minimum.
- What will the validity period of the certificates be?
- CA administrator ("Manage CA permissions") -> this role manages the entire CA.
- Certificate manager ("Issue and manage certificates") -> manages certificates: issuance, revocation, archiving.
- Backup operator -> backup and recovery of CA databases and configuration files.
- Auditor -> review PKI related logs, including Event Viewer.
Windows Server 2008 PKI and Certificate Security, Brian Komar, Microsoft Press, 2008
Text is out of print.
It is possible to obtain a digital copy. See details here:
TechNet Security forum
Designing and implementing a PKI - Directory Services Team (Ned Pyle)