Hello everyone,
I have some generic questions on AD CS and ultimately best practices. I have looked around and just can't find details. I have set up a lab environment using a two tiered approach where I have a single root and a couple of subordinates and they appear to be operational.
1. How many different PKI setups can you have in a single Active Directory Forest with a single Domain? The reason I ask is that even though I have multiple intermediary CAs they ultimately trust the same Root. Example: Say I have two SharePoint farms one for developers and one for marketing. They both require client side certs. Even if I sign Dev SP with one CA and the Marketing SP with the other CA, since they are both under the same Root CA, they can access each others SharePoint instance (computer cert). If I had two and ultimately more Root CAs, I could sign each SharePoint certificate with a separate CA tree. Hopefully this makes sense. As you can see, I could possible have multiple PKI Root CAs depending on function. One for computers, one for users, one for BYOD, one for specific SharePoint farm, etc. A single PKI doesn't seem practical considering that just because all the machines belong to the same domain doesn't mean they should have access to the same PKI resources.
2. In reference to question 1, assuming it is not best practice to have more than one PKI Root CA, can I trust the intermediary CA on some machines as root and another intermediary CA on other machines to separate the trust?
3. Assuming it is ok to have multiple Root CAs, should I disable "Certificate Templates" that come up by Default in a base CA install like, "Domain Controller Authentication", "Domain Controller", "Administrator", etc and only have a "Single" PKI implementation with those standard Certificate Templates?
Thanks in advance for any information you provide.
Paul
PJudt