I am working on setting up a PKI environment for my company, this will need to support Windows 7 / Server 2008 R2 and up with AD.
The main uses will be; 2 factor user authentication with smart cards, site to site VPNs (device certificates), WiFi, ...
I have already decided on a two tier approach with an offline root and then either
1) 2 Issuing CAs and 2 Web enrolment CAs (as clusters)
2) 2 Issuing CAs (web enrolment on the same server) as a cluster
Our environment consists of
1 central site with around 300 users
80-100 field sites with 5-100 users each (these sites usually run 3-5 years)
All field sites are connected by VPN to the central site
My question is:
Should I install issuing CAs at each site (a third tier)?
If I do this it would not be a dedicated server but would be running on the same server as AD, WSUS, Backup software, AV management, shared files, DNS, DHCP, and just about every other network service.
Or should I let clients in the field sites get and check certificates and CRLs with the central servers?
Bandwidth at sites vary from 512/512 to 10240/10240 with most operating at around 1024/1024. For most latency is around 300 - 600ms with less than 2% packet loss.