Our company is being acquired by another company and we are curious on the requirements needed to create a cross-certification / bridge CA solution.
Cross-Certification is issuing a Cross Certification Auth. certificate to the root CA of Fabrikam from Contoso's Issuing CA.
"The effect of this Cross Certification Authority certificate is that the Fabrikam Root CA appears as a subordinate CA of the Contoso Issuing CA when the certificate is presented to a computer at Fabrikam."
Is there a preferred method and why?
You will need simple cross-certification. It is suitable to "friend" two PKIs in a easy and convenient way. Each organization cross-certify other organization and publish cross-certificates within their organization.
Simple cross-certification isn't much scalable. In practice, it will work for no more than 3 fully connected peers. In order to establish a complete trust between all parties, the number of all cross-certificates to be issued is calculated as follows:)
. In other words, it is a complete graph topology.
When there are 4 or more participants, a number of total issued cross-certificates increases dramatically. This is where CA bridging helps. The graph is transformed into star topology, where Bridge CA is a center of the topology and it is connected to all participants with single edge. The total number of required cross-certificates is calculated as follows:
Each party issue single cross-certificate to Bridge CA and Bridge CA issue back single cross-certificate to each party. When other organization present you their certificate, its chain is looped through Bridge CA cross-certificate and ends up with your own root CA.