The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.
1. | How many root CAs can an enterprise have? |
|
2. | Can the root CAs issue certificates? |
|
3. | Are we only supposed to have two intermediary CAs? Can we have multiple CAs? |
|
4. | Can an enterprise PKI architecture exist without a root CA? |
|
5. | Can we have certificate template in stand-alone CAs? |
|
6. | Do we need Active Directory support to create certificate templates in the organization? |
|
Answers
1. | You can only have one root CA. This root CA will manage one or many other CAs. |
2. | Yes; however, it is not recommended. The root CA should be protected by the intermediary CAs and should be disconnected from the network. |
3. | Yes. The best practice is to have an internal and external intermediary CA (minimal requirement). You can design the PKI architecture to have multiple CAs for other purposes. (You might have a large client that accumulates 60 percent of your business. You can dedicate a special external CA just for this client.) |
4. | Yes. A network trust hierarchy model does not have a root CA. However, a global directory (such as Active Directory) must be populated to find the other fellow CAs of the enterprise. |
5. | Yes. Certificate templates are available in both enterprise and stand-alone servers. |
6. | Yes. Certificate templates will not be available if no Active Directory is present. |