We are running Three-3 tear Microsoft PKI environment with one-1 Root CA, one-1 Intermediate CA and one-1 Issuing CA at our headquarters. We want to introduce redundancy in our environment with respect to Issuing CA by adding another Issuing CA. So, I would appreciate some design recommendation for such a requirement particularly in the case if we want to introduce the new Issuing CA at a different location.
Would such a configuration make it redundant? or
would it be a good design? And
would it only require just Issuing CA at the remote location?