Offline Root CAs / Two Tier Hierarchy


I have come across many questions in regard to whether when deploying a PKI if a two tier PKI hierarchy and whether an offline root should be used.

The answer is yes an offline Root should be used in pretty much all environments. So, why? Some might ask, I have a super small environment, do I really need to this. The answer is, yes. So, again why?

First what is the reason for having an offline Root which pretty much guarantees that you would have to then setup a two or three tier hierarchy?

Root CA

The Root CAs main role is to be the trust anchor for the PKI hierarchy. In other words, the self-signed certificate that the Root CA generates is distributed to all devices that will need to trust the PKI. So, when you have a Root CA and Issuing CAs are subordinate to that CA, you only have one certificate to distribute. So, no matter how many issuing CAs you decide to deploy, you only have one Root certificate to distribute. Some applications may require you to install the subordinate CAs, but many applications can fetch the subordinate CAs from the AIA repository.

Two Tier Hierarchy?

So, let’s say you have a small environment, and you are only planning to install one Issuing CA. Do you still need an offline root and two-tier hierarchy? Yes. The reason you still want to have this, is because it allows you to later expand your PKI if necessary. You can later add additional issuing CAs that terminate in the same trusted root. And while you may only need one CA at this time, it is impossible to anticipate the future needs of your organization, so by deploying a two tier PKI you enable your PKI to be scalable. If you do not install a two tier hierarchy you are limited. Because if you later decide to expand your PKI, you either need to rebuild with an offline Root or manage multiple Issuing CAs that are also Root CAs. So, to avoid these future limitations you still would want to deploy a two tier PKI, or in some edge case scenarios a three tier PKI.

Offline Root

What is an offline root? An offline Root is a Root CA that is disconnected from the network for it’s entire “lifetime”. The OS should be installed without network connectivity, and the machine should never be connected to a network, not even for a minute.

What are the inconveniences of having an offline Root?

The main problem is that you periodically must update the CRL, then copy the CRL to the CRL Distribution Points (CDP) repositories. And if this CRL expires, it can cause outages in your environment.

So, do you need to make your Root CA and offline CA?

 Yes. As mentioned earlier the Root CA is the trust anchor of the PKI. Also, you want to put as much security around CAs as possible since if they are compromised certificates that are trusted in your environment can be issued. And if a malicious actor compromises your CA, they can impersonate identities in your environment. So, the security guidance is to have CAs offline if they infrequently issue certificates. Issuing CAs are online because they issue certificates very frequently. Root CAs and Policy CAs are kept offline because they issue certificates very infrequently.

To explain this further, let’s us a fictional scenario. Let’s say you have an Offline Root CA, and you have an Issuing CA that only issues Code Signing certificates for your organization. And let’s say due to the sensitivity of these types of certificates you want to provide maximum security for the Code Signing CA. And your development group typically only requests Code Signing certificates 5 time a year. In this scenario you would keep the CA offline and only bring it online 5 times a year. And if possible, like the Root CA you would set it up as a standalone CA and keep it disconnected from the network (offline). Sure, this makes administration a bit harder since you have to sneaker-net the requests to the CA and the certificates off the CA. But it dramatically increases the security of the CA, so it is worth the trade off.

So, to answer the question “Why have an offline root?”

  • Because the CA infrequently issues certificates and CRLs
  • Because compromise of the CA can result in a compromise, or assist in the compromise of your environment (Possibly including Active Directory)
  • If it is not connected to the network, it cannot be attacked from the network
  • It is best practice and if your PKI gets audited you will be flagged for not having it offline
  • If you later have to convert the CA to an offline CA, you will have to potentially revoke previously issued certificates and renew the Root CA certificate, if not have to redeploy the Root CA altogether

Why should I not deploy a single tier PKI?

  • Having the Root CA online violates best practice, due to the reasons above
  • The PKI is not scalable (We want to future proof deployments, so we can avoid having to redeploy the PKI in the future)
  • If your PKI is audited, you will be flagged during the audit, since your Root CA is online