I am currently reading the Windows Server 2008 PKI and Certificate Security book.
One chapter is about the Single-Tier Enterprise CA Hierarchy.
"Single-tier CA hierarchies generally are used only when simple administration is required,
costs must be minimized, and the organization’s security policy does not require the
implementation of an offline root CA."
Higher-tiered CA hierarchies in the book are always presented with an Offline Root CA, wich is not an Enterprise CA.
I'd like to go a middle course. I prefer the Single-Tier CA Hierarchy for investing in another Windows license, to have an subordinate CA that issues certificates to users and computers, is not in our budget. And I don't feel comfortable with the thought that I would sign all issued certificates with the root certificate. For the last part I really want to setup a Two-Tiered CA Hierarchy.
Is it possible to implement a Single-Tiered Enterprise CA Hierarchy that signes certificates with an intermediate certificate andnot the root certificate?
Could you recommend any literature regarding that topic?