Creating a CA Hierarchy
CA’s are almost never found alone. For security and management reasons, the issuance of certificates is broken into layers. Each layer represents a higher level of security. The very top layer is the Root CA. The Root CA is the cornerstone of trust for the entire hierarchy. If the Root CA were to be compromised, the entire PKI would be considered untrustworthy. Root CAs are the most heavily secured computers in the world. It is not unreasonable to expect computers functioning as the Root CA to have 24×7 armed guards, be disconnected from any network, and be stored in a safe, in a secure building. Many companies never allow a single person to be alone with the Root CA. All changes and access must be witnessed and supervised. These CAs are often used to certify a second layer of CAs known as Subordinate CAs. Subordinate CAs in many companies are directly connected to the network and are used to manage user certificates. These computers are still secure, but not to the extent that the Root CA is secured as compromise of a Subordinate CA only affects part of the PKI. In very large companies, the Subordinate CAs may be organized by geographic, political or functional boundaries. In some cases these CAs may be used to certify a third layer of issuing CAs.