Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community

2 Tier PKI infrastructure question

Copper Contributor


I am looking to deploy a small but secure 2 tier PKI infrastructure.

The RootCA will be importing an existing externally provided private.key into a Standalone CA/Root CA server (which will be off-lined once configured).

There will also be a SubCA server (online domain attached) offering the issuing and enrolment services to the devices/workstations/user/smart cards/network devices.

My quick (quick one I hope) is that with the externally imported key, this then becomes our RootCA which we can take off line and store securely away, and we are then just left with a SubCA servers providing the above services?

We will have numerous certificate templates in place on the SubCA for the various tasks.

We are also looing to use a external HSM device to store the RootCA private.key as an additional backup.

Simple but secure solution?!

Thoughts and comments most welcome!



0 Replies