9.9 Summary

Public key infrastructures come in two flavors: public and private. Incorporating a public PKI within your corporation has numerous benefits and drawbacks. Neither flavor is necessarily more or less secure but rather involves a different strategy of trust. A detailed analysis of your intended uses for the certificates should be made and then both flavors should be considered. Once both flavors are considered for your specific scenario and all benefits and drawbacks are weighed, a decision can be made on which solution to use.

The Windows Server 2003 family provides a great deal of functionality for a private PKI, but vendors generally provide those services when leveraging a public solution. Nevertheless, Windows Server 2003 does provide some essential functionality for using the public PKI model. The real benefit of using Windows Server 2003 with PKI, however, is when using it as a certification authority within your own private PKI.

Designing and deploying a private certification hierarchy can be a daunting task. The plan must be laid out carefully in advance and can be quite complex in many cases. A number of decisions must be made early in the process; without them, the deployment cannot even begin. Once that plan is created and reviewed, it should be tested thoroughly to ensure it meets the design goals while providing the necessary security.

Once the plan is documented and tested, you can begin to deploy and configure the root CA. You now know how to deploy a multitier hierarchy once the root CA is established. After the hierarchy is in place, you can configure it for proper issuance, revocation, and ongoing management. These tasks are no less important than deploying the root CA, as any lapse in security in the chain could result in unintentional trust (or lack of trust).