3.1.3. Self-Signed Root CA or Subordinate CA
A Certificate Manager can be configured either a root CA or a subordinate CA. A self-signing root CA issues and signs its own CA signing certificate. A subordinate CA can be subordinate to a public CA or to a Certificate System root CA; either way, the other CA signs the subordinate CA's certificates. A subordinate CA is restricted in the types and contents of the certificates it can issue by the contents and settings of the CA signing certificate issued to it, such as the kinds of certificates that it can issue, the extensions that it is allowed to include in certificates, the levels of subordinate CAs the subordinate CA can create, the validity period of certificates it can issue, and the validity period of the subordinate CA's signing certificate.
Subordination to a Public CA . Chaining the Certificate System CA to a third-party public CA introduces the restrictions that public CAs place on the kinds of certificates the subordinate CA can issue and the nature of the certificate chain. This may not be acceptable for some PKI deployments. One benefit of chaining to a public CA is that the third party is responsible for submitting the root CA certificate to a web browser or other client software, which is a major advantage for certificates that are accessed by different companies with browsers that cannot be controlled by the administrator.
Subordination to a Certificate System CA . Setting up a Certificate System CA as the root CA means that the Certificate System administrator has control over all subordinate CAs by setting policies that control the contents of the CA signing certificates issued. A subordinate CA issues certificates by evaluating its own authentication and certificate profile configuration, without regard for the root CA's configuration.
It is easiest to make the first CA installed a self-signed root, so that it is not necessary to apply to a third party and wait for the certificate to be issued. Before deploying the full PKI, however, consider whether to have a root CA, how many to have, and where both root and subordinate CAs will be located.