Decentralizing PKI

GreenerJay 41 Reputation points


We have several small companies that fall under a single parent company and are all managed in a single AD domain using a decentralized administration approach. Each company has their own OU.

Mobile users in each office use a device certificate based authentication VPN to access corporate resources. The common name of the certificate is based on the device itself.

Currently all certificates for all companies are created from a single Windows CA. The problem with this design is that our inventory tracking isn't great and recently a user lost their tablet. We didn't know which certificate to revoke which resulted in us revoking all of them.

We would like to have dedicated certificate authorities for each company - that way if someone in company A loses a tablet and we don't know which individual certificate to revoke, we can just revoke all certificates for that company instead of all of them.

I wanted to get some input on the best design to accomplish this. Should we have a single offline Root CA directly under the parent company with SubCAs in each child company? Should we publish all CRLs to the same location or should each company also have their own CRL location?

Thank you in advance.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,779 questions
0 comments No comments
{count} votes