PKI environment design

I am working on setting up a PKI environment for my company, this will need to support Windows 7 / Server 2008 R2 and up with AD.

The main uses will be; 2 factor user authentication with smart cards, site to site VPNs (device certificates), WiFi, ...

I have already decided on a two tier approach with an offline root and then either
1) 2 Issuing CAs and 2 Web enrolment CAs (as clusters)
2) 2 Issuing CAs (web enrolment on the same server) as a cluster

Our environment consists of
1 central site with around 300 users
80-100 field sites with 5-100 users each (these sites usually run 3-5 years)
    All field sites are connected by VPN to the central site

My question is:
Should I install issuing CAs at each site (a third tier)?  

If I do this it would not be a dedicated server but would be running on the same server as AD, WSUS, Backup software, AV management, shared files, DNS, DHCP, and just about every other network service.

Or should I let clients in the field sites get and check certificates and CRLs with the central servers?  

Bandwidth at sites  vary from 512/512 to 10240/10240 with most operating at around 1024/1024.  For most latency is around 300 - 600ms with less than 2% packet loss.

LVL 23
Erik BjersPrincipal Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Or should I let clients in the field sites get and check certificates and CRLs with the central servers?  

Either way the clients will check the entire chain for trust and revocation. As a 3rd party I may trust your root ca and your subordinate ca's but not trust a subordinate of a a subordinate depending upon your issuing policies. PKI is only 1 part of a two factor authentication.
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Thanks David.

My question is more along the lines of how reliable would the environment be if I only have the CAs at the central site or if it will make enrollment and certificate verification easier by having local CAs at each site.

Each site is a part of the same domain as the central office.

Schnell SolutionsSystems Infrastructure EngineerCommented:
Hello Ebjers,

In order to get more simplicity and higher security, I vote for staying with your original idea of having the two tier PKI.

Remember that after your submit the digital certificates, possible reasons for contacting the PKI infrastructure are CRL and AIAs. In order to improve it with your remote sites, you can configure uniquely web addresses for your CRLs and AIAs and then you configure these web address in web servers located and each location. In this way you will not have this traffic consuming your WAN connection, you can configure site awareness with a different DNS split configuration or with the subnet function that is delivered by DNS servers, where they can answer to the clients according to the network where they are located.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Erik BjersPrincipal Systems AdministratorAuthor Commented:
Thanks Schnelsolutions,

If I understand you correctly you are suggesting I put CRL and AIAs on a server at each field site but not a full CA.  

This way client computers would need to request new certificates from the CA(s) in the home office which is not very frequent, and since most equipment is staged/ built in the home office they would contact the CA there anyway.

Then they can request CRL and AIAs from the local server which happens more frequently.

Would I be able to build that functionality into the existing server at each field site?  These servers typically run; AD, DNS, DHCP, file shares, SQL, backup, anti-virus management, and mail systems (these are split on 2 servers for larger offices).


David Johnson, CD, MVPOwnerCommented:
you can also have sub-subordinate CA's .. each site can be an issuing CA for that site. It just makes the certificate chain a bit longer.
offline root ca - subordinate CA (issuing) - brand office 1 issuing CA
                                                            - branch office 2 issuing CA
                                                            - branch office 3 issuing CA
the sub-sub CA's can be restricted to only be able to issue computer/user certs  Code Signing only at the top issuing CA
Schnell SolutionsSystems Infrastructure EngineerCommented:
You are absolutely right Ebjers,

You can use any server as your CRL or AIA as far as you can install or use an existing web server application, such as IIS for Windows. (Any version, this is just a file repository)
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Sorry guys I was on vacation so did not get back to the question.  As this was just asking for advice/ info there is no right answer so I will split the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.