PKI Topology

PKIs can form different topologies of trust. In one model, a single or root CA issues all the certificates to the end users, as shown in Figure 13-4.

Figure 13-4. Single Root CA

Figure 13-4. Single Root CA

The advantage of this setup is its simplicity, but there are some pitfalls. The setup has a single point of failure, and it is not suitable for large-scale deployments. Because of its simplicity, this topology is often used in VPNs managed by a single organization. A more complex topology involves multiple CAs within the same organization. This is called a hierarchical CA and is shown in Figure 13-5.

Figure 13-5. Hierarchical CA

[View full size imagel

Figure 13-5. Hierarchical CA

[View full size imagel

Siabardinele CA

Siabardinele CA

In this system, CAs can issue certificates to both end users and subordinate CAs. Subordinate CAs can, in turn, issue certificates to end users and other CAs. This topology is more scalable and manageable than the single root model, but it has weaknesses. A serious issue with hierarchical CAs is in finding the certification path for a certificate. The more CAs that are involved in establishing trust between a root CA and the end user, the more difficult it is to find the certification path.

Another approach to hierarchical CAs is called cross certifying. Figure 13-6 shows a sample setup of this topology. With cross certifying, multiple single-root CAs establish trust horizontally by cross certifying each other's certificates.

Figure 13-6. Cross-Certified CA

[View full size imagel

Typical Pki Hsm Deployement
+1 0

Post a comment