We use our CA for VPN and Wireless. Since systems and vpn still have to be logged into with passwords, aka 2 factor authentication, I don't really see the need for a Root. Can anyone weight in on this?David Jenkins

Not really sure what you are asking. 1) If you need certificates as part of your authentication/tunnel encryption process, then you need a CA (It does not matter whether you have a one tier or a 700 tiered CA hierarchy, there will be one root CA in the hierarchy) 2) Using a software certificate and a password is **not** two factor authentication. It is dual authentication. You cannot claim that a certificate is a second factor when knowledge of the user's password provides access to the software certificate Brian

I guess I should have said offline root ca. I'm planning on using email encryption eventually so the CRL would get published externally. I'm probably better off with an offline root ca however I'm trying to weight the costs of an additional OS with that of having the best security. I'm also contemplating creating a root ca that I simply stop services on, say a system already in use for other things, but then I worry that it could be compromised anyway since the db could get hijacked.David Jenkins