Windows 2000 Certificate Services and Public Key Infrastructure

Benefits of Multiple-Level Certification Hierarchies

Consider deploying multiple-level certification hierarchies that include root CAs, intermediate CAs, and issuing CAs. Multiple-level trust hierarchies provide many benefits.

General Benefits

Deploying multiple-level certification hierarchies provides the following general benefits:

They require trust in a relatively small number of root CAs that you can centrally control and maintain to ensure high security and integrity for root CAs.
They reduce the cost and impact of a failed or compromised CA.
They provide flexibility so business units can deploy and manage intermediate CAs to meet their public-key security needs.
They provide flexibility so business units can deploy and manage issuing CAs to distribute certificate load and provide duplication of certificate services.

Administrative Benefits

Deploying multiple-level certification hierarchies provides the following administrative benefits:

It enables flexible configuration of the CA security environment (key strength, physical protection, protection against network attacks, and so forth). You can tailor the CA environment to provide a balance between security and usability. For example, for a root CA, you might choose to use special purpose cryptographic hardware, maintain it in a locked vault, and operate it in offline mode. However, for an issuing CA, crypto-hardware, locked vaults, and offline operations are costly, make the CA difficult to use, and reduce the performance and effectiveness of the CA.
It enables relatively frequent renewals of keys and certificates for those intermediate and issuing CAs that are at high risk for compromise, without requiring a change to established root trust relationships.
It enables you to "turn off" a subsection of the CA hierarchy without affecting established root trust relationships or the rest of the hierarchy. For example, you can easily shut down an issuing CA that services one site, without affecting other certificate services for that site and without affecting certificate services for other sites.

Benefits of Multiple Issuing Certification Authorities

Deploying multiple issuing CAs provides several benefits, including the following:

You can specify separate certificate policies for different groups of users or computers. You can deploy separate issuing CAs to administer separate certificate policies for each group of users and computers.
You can specify separate certificate policies based on organizational divisions, such as a user's or computer's role in the organization. You can deploy issuing CAs to administer separate certificate policies based on such organizational divisions.
You can specify separate certificate policies based on geographic divisions, such as the locations of users and computers at multiple physical sites.
You can distribute certificate load and provide redundant services by deploying multiple issuing CAs to distribute the certificate load, meeting site, network, and server connectivity and load requirements. For example, slow or noncontinuous network links between sites might require issuing CAs at each site for acceptable certificate services performance and usability requirements. You can also deploy multiple issuing CAs to provide duplicate services so that if one CA fails, another issuing CA is available to provide uninterrupted service.