Hi all,
Question for the certificate experts here.
My company consists of a single AD Forest - A root domain with three child subdomains. The subdomains must remain isolated from each other as they serve different roles and compliance dictates this. Separate Forests are not an option in this
case.
What's the best setup for deploying a PKI Infrastructure here which will maintain isolation between them?
1) A single Offline Root CA and subsequent Sub CA's at each Domain? (Would this work bearing in mind I need Enterprise Admin rights in the child domains, and if so is it a case of installing the Sub CA's in the child domains with the Forest Root Enterprise
Admin account?)
2) Do I need separate Root CA's for each child domain with subsequent CA's at each Domain?
3) A single Offline Root CA with a Sub-CA in the Root Domain and additional Sub-CA's in each Sub-Domain?
Any specific information on achieving the isolation would be greatly appreciated as I've searched through the usual MS PKI documents but can't seem to find what I think I need (Unless I really misunderstand how this works).
Thank you,
Martin
