Peeling the onion – how many layers should your PKI have?

I‘ve been talking to a colleague who insists a 1-tier PKI infrastructure is better than a 2-tier PKI infrastructure but without providing details on exactly why.  Is it better?  The word „Better“ is fairly meaningless as a quantitative descriptor.  If you‘re talking to someone that uses that word when describing an IT-related subject it probably…

1

ADCS and dedicated CRL-signing certificates

 We’re seeing what appears to be random revocation checking failures on clients for certificates issued by our CA. The infrastructure is a 2-tier PKI with an OCSP defined on the issuing CA certificate and the CRL from the Root CA signed by a dedicated CRL-signing certificate (i.e. not the issuing cert).  We´ve observed that in cases…

0

Tweaking ADCS performance

The default settings for ADCS are fine for smaller installations – however, once your CA database goes beyond the toddler stage and starts exceeding a few gigabytes you should consider tweaking a few knobs on it for better performance. Avoid ticking auditing for Startup/Shutdown of the ADCS service (this causes a hashing of the database…

1