We are planning to implement Windows Server 2012 ADCS. We have resources in multiple un-trusted AD Forests for which certificates have to be issued. These resources include Windows Servers, VMware ESX, vCenter Servers, Hardware Gears (UCS, Nexus etc). In order to use ADCS, can we deploy one instance of CA on a cluster in one AD Forest and use Certificate Enrollment Web Service to enroll certificates to resources in all other AD Forests?
Or
Do we need to install a Offline Root CA in one the AF forest and install Issuing CA's in all other untrusted forests and publish all the CRL's onto one Web Server which will be in a NLB Cluster.
The first solution is very cost effective and has less management overhead, compared to the second solution.
Kindly advice and provide some deployment guidelines for my scenario.
Thanks