Examining the PKI Topology of Hierarchical CAs

For organizations that want to avoid the pitfalls of the single-root CA, more complex CA structures can be devised and implemented. This section examines the hierarchical CA structure and its application, as shown in Figure 14-6.

Figure 14-6 Hierarchical CAs


Figure 14-6 Hierarchical CAs


Matthew Abby Addison

The hierarchical CA structure is a more robust and complicated implementation of the PKI. In this topology, CAs may issue certificates to both end users and subordinate CAs. These subordinate CAs then may issue their certificates to end users, other CAs, or both. This topology creates a tree-like structure of CAs and end users in which each higher-level CA may issue certificates to any lower-level CAs and end users. This structure gets around the issues that we saw with the single-root CA.

For many organizations that implement this topology, the main benefit they achieve is a significant increase in scalability and manageability. In this topology, trust decisions may be hierarchically distributed to smaller branches lower in the tree. This distribution fits well with the structure of many larger enterprise organizations. Let's take a look at an example.

A large enterprise organization may choose to have a root CA in its headquarters that is responsible for issuing certificates to level-2 CAs both locally and in regional locations. It then falls on these level-2 CAs to issue all certificates to the end users.

This solution also addresses security, because the root-signing key, held by the root CA, is seldom used after the subordinate CA certificates are issued. This means that in this topology its exposure is limited and, therefore, more readily trusted. This structure also addresses the threat of having a key stolen from a subordinate CA. Should this occur, only that branch of the PKI is rendered untrusted. All other users simply no longer trust that particular CA.

Even though this hierarchical topology has great benefits, some matters must be considered. Given the complex nature of a structure with numerous branches, one issue can be finding the certification path for a certificate. Finding this path allows you to understand the signing process. If a great number of CAs exist between the root CA and the end user, determining and verifying this certification path can be quite difficult.

0 0

Post a comment