Certificate authorities

We have may have a need to for 25K to 30K mutual authentication certifcates and I figure it may be cost prohibitive to use a third paty such as Verisign. So, anyone out their host their own CA? If so, how big of an administrative nightmare is it?

Thanks in Advance,
Rick

 

We don't do our own CA/RA functions, yet. Perhaps never will.
Problems: securing a CA is quite expensive. You need 24h availability, very strong access control measures, very good environmental security and strong procedures.

Mutual authentication: do you mean that you want other parties to authenticate at your CA of your certificate holders to authenticate at a third party? If so: don't do it yourself for such a small number. Cross certification is a few factors more expensive than a regular internal CA function, since other root CA's need to trust your security. That means accreditation by a third party auditor.

And please don't forget all key management procedures, identification and authentication that come with it. Very expensive to set up and to run. 30K is a relatively small number.

Installing a Windows certificate server is almost for free, but don't underestimate the other costs. If, however, you only need an internal PKI, by all means start with a windows server and use ADS for storage. But as soon as you cross domain borders: don't.