Purpose behind subordinate Certificate Authorities

Solution 1:

Its generally considered good practice to have at least 2 Tiers. The root ca and the subordinate issuing CAs. The issuing CAs issue all the certificates to your machines or users and the root issues the subordinate CA certificates. This means you can turn off the root, when not commissioning a new subordinate CA, and protect that root by detatching it from the network, locking it in a vault and putting big scary signs up. The questiion is why would you want to do this?

The purpose of certificates is to do a number of things but one is to authenticate one person or piece of kit to another. The way the certificate does this is by signing data with a privat key and allowing you to check this signature with the public key in the certificate. If it validates then you know the source can be trusted as only it would have the private key. The question then becomes how can i trust the certificate and public key. You can trust this because its signed with the private key of the issuing CA. The upshot of this is if your CAs are compromised you can trust nothing.

The benefit therefore of sub-ca and an offline root is that your root ca and associated keys are almost impossible to compromise. If one of your sub-cas is compromised then you simply revoke the issuing sub-ca and build another one re-issuing your certs and crls. All certs issued from the compromised CA will no longer be trsuted. You cant do this if your root has been compromised and people could end up trusting that they are connecting to your infrastructure when they are not.