1
00:00:07,420 --> 00:00:15,760
When you decide to implement ADC yes in your organization one of the first decisions you must take is

2
00:00:15,760 --> 00:00:26,080
how to design your AC hierarchy see a hierarchy determines the core design of your internal PGI and

3
00:00:26,170 --> 00:00:31,190
determines the purpose of which S.A. in the hierarchy.

4
00:00:32,210 --> 00:00:42,390
Is C hierarchy usually includes two or more C is usually the second C and to all others.

5
00:00:42,390 --> 00:00:49,600
After that deploy with a specific purpose only the route C is mandatory.

6
00:00:50,400 --> 00:00:59,460
Having a Multi Level C a hierarchy that is deployed to use PGI and certificates is not mandatory for

7
00:00:59,460 --> 00:01:01,910
a smaller and simpler environments.

8
00:01:01,920 --> 00:01:06,780
You can have a c a hierarchy with just one deployed C.

9
00:01:06,890 --> 00:01:10,950
This usually deploys as an enterprise rootsy.

10
00:01:11,490 --> 00:01:21,510
Additionally you may choose to not deploy an internal CIA at all and to use externally provided certificates

11
00:01:22,530 --> 00:01:32,430
if you decide to implement SCA hierarchy and have deployed a route C already you must decide which roles

12
00:01:32,880 --> 00:01:38,180
to assign Cs on the second and third tires.

13
00:01:38,220 --> 00:01:49,440
In general it is not recommended build an SCA hierarchy deeper than three levels unless it is in a complex

14
00:01:49,440 --> 00:01:59,650
and distributed environment most commonly C hierarchies have two levels with their roots CAA at the

15
00:01:59,650 --> 00:02:09,720
top level and the subordinate issue and C on the second level usually the route C is taken off line

16
00:02:09,990 --> 00:02:16,820
while the subordinate C issues and manages certificates for all clients.

17
00:02:17,640 --> 00:02:26,880
However in some more complex scenarios you can also deploy other types of C hierarchies in general C

18
00:02:26,910 --> 00:02:30,780
hierarchies fall into one of following categories.

19
00:02:32,190 --> 00:02:43,140
See hierarchies with a policy see this category is for policies which are types of subordinate seats

20
00:02:43,200 --> 00:02:48,990
that are directly below the roots see in it's a hierarchy.

21
00:02:49,160 --> 00:02:59,460
You use policies these two issues see certificates to subordinate seats that are directly below the

22
00:02:59,690 --> 00:03:11,170
policy in the hierarchy the role of a policy is to describe the policies and procedures that an organization

23
00:03:11,650 --> 00:03:15,020
implements to secure its PGI.

24
00:03:15,220 --> 00:03:24,730
Are processes that really do the identity of certificate holders and the processes that enforce the

25
00:03:24,730 --> 00:03:27,900
procedures that manage certificates.

26
00:03:29,350 --> 00:03:40,640
Policies see issues certificates only to others is this is that to receive this certificate must uphold

27
00:03:40,730 --> 00:03:52,710
and enforce the policies that the policies a defined use policies is and is not mandatory unless different

28
00:03:52,830 --> 00:04:03,780
division sectors or locations of your organization require different issuance policies and procedures

29
00:04:05,110 --> 00:04:05,800
however.

30
00:04:05,830 --> 00:04:16,540
If your organization requires different issuance policies and procedures you must add policies to the

31
00:04:16,540 --> 00:04:21,230
hierarchy to define each unique policy.

32
00:04:21,310 --> 00:04:32,230
For example an organization can implement one policy for all certificates that issues internally to

33
00:04:32,470 --> 00:04:42,490
employees and another policy for all certificates that it issues to users who acquire not employees.

34
00:04:44,130 --> 00:04:52,050
Another category is S.A. hierarchies with cross certification trust.

35
00:04:52,230 --> 00:05:02,580
In this scenario two independent C hierarchies inter operate when SCA in one hierarchy issues a cross

36
00:05:02,580 --> 00:05:09,210
certified C certificate to SCA in another hierarchy.

37
00:05:09,210 --> 00:05:22,460
When you do this you establish mutual trust between different C hierarchies and other category is CS

38
00:05:22,760 --> 00:05:25,630
with a two tier hierarchy.

39
00:05:26,120 --> 00:05:35,330
In a two tier hierarchy there is a route C and at least one subordinate C in this scenario.

40
00:05:35,360 --> 00:05:43,880
The subordinate say is the responsible for policies and for issuance certificates to requesters.