Hi,
I´am trying to designe CA hierarchy but I need some advice. Maybe you can help me out. Let me describe the situation a bit.
I need to set up PKI so that our internal domain clients can have User and Computer Certificates. And the other hand our external clients and partners can have user or computer certificates as well (VPN connection). The main reason is that we are using Certificates to authenticate 802.1x to get internet acces in our company. As we are software developers we would like to sign our software in future so that our partners and external clients can trust our code. Thats why we need to publish CRL´s outside so that clients from outside can trust the certificate and code.
How to designe that kind of hierarchy? In my opinion I need Offline Root CA to protect our Root CA private key. Then I need a "Internal Issuing CA" for internal users and computers. And "External Issuing CA" for external users. That makes 3 servers. I want to use OCSP as well so one more server for that. How should I designe CDP and AIA paths for different servers? In Root certificate there is no CRL´s or AIA configuration for that. When I issue certificate to Int or Ext Issuing CA´s then Internal Issuing CA should have LDAP (Domain Controller) and HTTP (Internal Issuing CA) paths but what about External Issuing CA? Does this one needs only some http path like "http://crl.domain.com/cert.crl" and nothing else? Plus OCSP configuration as well? Or is there any other ways to do that? I don´t want to issue certificates to external clients so that there is LDAP or internal http path inside there. It would never work anyway! If my Root CA server is non-domain and Standalone and my Internal Issuing CA is in domain and enterprise CA then what about External Issuing CA!? Does this one must be enterprise CA and domain server as well or Stand alone CA?
Or maybe I´m doing it wrong in all ways? :)
Hope that my question is not too difficult. Sorry for my bad English but maybe you can give me some advice to set things up correctly.