I am working on refreshing a single Tier AD CS Deployment with an offline rootCA(Workgroup), and a single Issuing SubordinateCA within a Single Forest.
I have ran into discovery that they are currently running subordinate CAs with Websense appliances and PaloAlto Firewalls. I am curious on deployment strategies elsewhere when running into these scenarios. I am considering the following:
Offline RootCA
Online Subordinate Issuing CA
Hanging additional Subordinates below the EnterpriseSubordinateCAs
This will sorta create a 3-Tier Design, but allows me to keep the Offline Non-Routable from the network...as the Websense appliances need to contact the RootCA to download the CRL if we went with a strictly 2-Tier Design.
Let me know if anyone has any comments\concerns\feedback\etc.