I have a requirement to design a CA Infra. We have multiple AD Forests and are looking to issue certificates to various devices within each of these forests. Can i still build a Ent Sub-CA and issues certificates which are in different AD Forests and devices which are not part of the domain. or should i build a standalone Sub-CA?
Also these AD Forests are spread in various datacenters round the world, should i design one CA Server per datacenter? Any advise how to go about.