Existing customer security policy may already define the necessary approach. Where this has not yet been defined, an assessment of requirements should help identify the appropriate option. The following guidance may be helpful:

• A deployment with external interfaces and many external clients would suggest an external, public Certificate Authority (Approach 3).

• A deployment with no external interfaces, or few external clients would suggest an internal Certificate Authority (Approach 1).

• A deployment that requires IP Addresses or private domain names in the certificate fields cannot use a public Certificate Authority, therefore Approach 1 may be suitable.

• A deployment that offers any service to the public should use an external, public Certificate Authority (Approach 3).

• A branch deployment with System Manager will typically use SCEP (Approach 4)

Although five approaches are outlined above, a mix may be appropriate; for example external, public CA for public facing servers, internal CA for all others. A hybrid approach cannot be used when VoIP endpoint resilience is active; the root CA for both home and backup server must be the same.