Some deployments require a single Certificate Manager to handle all end-entity interactions. No DRM is necessary to provide key archival or recovery capabilities, and no OCSP is required for certificate verification. This Certificate Manager can use a signing certificate issued by a public certificate authority or its self-signed CA signing certificate to sign all the certificates it issues.

Figure 2.1, “Single-Root Certificate Manager” shows the relationships between a single Certificate Manager, end entities, and a publishing directory. The Certificate Manager can publish both end-entity certificates and CRLs to a directory.