Microsoft PKI Architectural Diagram

This PKI for an imaginary company illustrates a corporate headquarters and two subsidiaries, one in the United States and the other in the United Kingdom, each with its own IT department. It uses a hierarchical certificate authority (CA) model with a root CA and an intermediate CA based in the corporate headquarters, and three issuing CAs: one at headquarters, one in the U.S. subsidiary, and one in the U.K. subsidiary. Each manages its own Active Directory (AD) domain and its own issuing CA. Corporate headquarters manages the root and intermediate CAs.

The root CA is self-signed and could be kept offline for better security. All child CAs have special certificates signed by their parent that allow them to act as a CA. Users can obtain certificates from their respective issuing CA using a Web application, and computers can automatically receive machine certificates if set by Group Policy. Otherwise, an administrator requests one on its behalf.

Because each entity in the chain has its certificate signed by the one above it, all certificates have a “trust chain” leading back to the root CA, thus enabling trust of all valid and nonrevoked certificates issued by the PKI. If a CA’s own certificate were to be revoked or expire, all child CA and end-entity certificates would also become invalid.