In deciding to deploy a private certification hierarchy, you have taken on the task of correctly planning your own architecture and deployment. This is an opportunity for you to revisit your need for a PKI and structure it to meet those needs. Once deployed, it is extremely difficult and expensive to make large changes, so getting it correct from the beginning is quite important.

Numerous considerations will impact the planning of the hierarchy. These should be primarily based on the established business need. The PKI deployment will be supporting and enabling other technologies. The hierarchy should be based on those other technologies and their use of certificates. For example, if your email program does not support certificate chains of a specific length, you may want to plan your deployment to ensure this level of depth is not reached.

The hierarchy is also sometimes based on organizational or political divisions within a company. Many departments have their own IT group that makes decisions for that department and does not coordinate with other groups. Often, managers refuse to allow staff from another department to make security-based decisions that may affect their assets, such as the decision to issue a key recovery agent certificate. These types of situations should be avoided if possible as they unnecessarily complicate the hierarchy and often break technologies that would otherwise work correctly.