Hi
Background
A project I'm working on is looking to implement a 3 tier PKI hierarchy using W2K12 R2. Policy CAs will be used to provide policy "boundaries" between several different domains.
The root will be held offline (HSM, not network attached etc), however the Policy CAs are going to be network attached in order to use a network HSM. We intend to switch the policy CAs off when they are not in use.
Queries
Does the policy CA need to be a member of a specific domain and be an Enterprise CA? Or should it be implemented as a standalone CA? Current thinking is that is shouldn't be a member of the domain as it will potentially need to issue Enterprise CA certificates to multiple domains underneath it.
When we are issuing certificates to different domains, should we use the DNConfig parameter to control this?
Any help you can provide or clarifications you can give would be most welcome
Regards
Andy