This is the most commonly used PKI deployment model in corporate networks. By design, the root CA needs to keep offline, and it will prevent the private key of the root certificate from being compromised. Root CAs will issue certificates for subordinate CAs, and subordinate CAs are responsible for issuing certificates for objects and services:
If a subordinate CA's certificate expires, the offline root CA will need to bring online to renew the certificate. Root CA doesn't need to be a domain member, and it should be operating in a work-group level (a stand-alone CA). Therefore, the certificate enrollment, approval, and renewal will be a manual process. This is a scalable solution and the number of issuing CAs can be increased based on workloads. This allows to extend the CA boundaries to multiple sites too. In a single-tier model if PKI got compromised, in order to recover all the issues certificates, need to be manually removed from the devices. In a two-tier model, revoke the certificates issued by CA, publish CRL, and then reissue the certificates:
|
Advantages |
Disadvantages |
|
Improved PKI security as the root CA is offline and it's been protected by private key been compromised. |
High maintenance--needs to maintain multiple systems and needs skills to process the manual certificates request/approval/renewal between the root and subordinate CAs |
|
Flexible scalability--can start small and expand by adding additional subordinate CAs when required. |
Cost--the cost of resources and licenses are high compared to a single-tier model |
|
Restrict the issuing CA impact in CA hierarchy by controlling certificates scope. It will prevent issuing the rouge certificates. |
The manual certificate renewal process between root CA and subordinate CAs adds additional risks; if administrators forget to renew it on time, it can bring the whole PKI down. |
|
Improved performances as workloads can be shared among multiple subordinate CAs. |
N/A |
|
Flexible maintenance capabilities as less dependencies. |
N/A |