Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a hierarchy that
could issue signing certificates to other CAs and which would be taken offline if not issuing, renewing, or
revoking signing certificates?
A.
Enterprise root
B.
Enterprise subordinate
C.
Standalone root
D.
Standalone subordinate
The keyphrase to look for here is the fact that it can be taken offline. That means you don’t want it in your domain.
Imagine that Comodo, Verisign and the likes have an old Gen1 Pentium in a vault somewhere that contains their uber-server. Or have they converted them to offline virtual machines yet. What do you think?
5
0