PKI Architecture
Design Overview
Section titled “Design Overview”2-Tier PKI Architecture:
- Root CA: Offline, Standalone, WORKGROUP
- Issuing CA: Online, Enterprise, Domain-joined
┌─────────────────────┐ │ Root CA │ │ srv-rca-zrh-01 │ │ (Offline) │ │ WORKGROUP │ └──────────┬──────────┘ │ │ Signs ↓ ┌─────────────────────┐ │ Issuing CA │ │ srv-ica-zrh-01 │ │ (Online) │ │ corp.microsoftlab │ └──────────┬──────────┘ │ │ Issues ↓ ┌────────────────┼────────────────┐ │ │ │ ┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐ │ User │ │ Computer │ │ Web │ │ Certs │ │ Certs │ │ Server │ │ │ │ │ │ Certs │ └─────────────┘ └─────────────┘ └─────────────┘PKI Components
Section titled “PKI Components”| VM ID | Hostname | IP | Role | Domain |
|---|---|---|---|---|
| 310 | srv-rca-zrh-01 | 10.30.30.20 | Root CA | WORKGROUP |
| 311 | srv-ica-zrh-01 | 10.30.30.21 | Issuing CA | corp.microsoftlab.ch |
| 312 | srv-pki-zrh-01 | 10.30.30.22 | PKI Web Repo | corp.microsoftlab.ch |
| 313 | srv-pki-zrh-02 | 10.30.30.23 | PKI Web Repo | corp.microsoftlab.ch |
Certificate Validity
Section titled “Certificate Validity”| CA | Key Length | Hash | Validity | CRL Period |
|---|---|---|---|---|
| Root CA | RSA 4096 | SHA256 | 20 Years | 12 Months |
| Issuing CA | RSA 3072 | SHA256 | 5 Years | 7 Days |
CRL/AIA URLs
Section titled “CRL/AIA URLs”| Type | URL |
|---|---|
| CRL | http://pki.microsoftlab.ch/crl/ |
| AIA | http://pki.microsoftlab.ch/aia/ |