Public Key Infrastructure (PKI) delivers the cryptographic foundation that enforces trust, confidentiality, integrity, and non-repudiation across systems. A properly designed hierarchy isolates risk, scales issuance, and supports Zero Trust principles. Practitioners build these hierarchies to control certificate lifecycles, enforce policy, and contain breaches.

Design the Hierarchy First

Define clear roles before touching any system. The root CA sits at the top and issues certificates only to subordinate CAs. Subordinate (intermediate) CAs handle day-to-day issuance for servers, clients, devices, and code. This structure keeps the root offline, limiting exposure while allowing scalable operations.

Map your requirements:

• Root CA: Offline, air-gapped, high-assurance hardware security module (HSM) recommended.
• Policy CA / Intermediate CAs: Online or semi-online, segmented by use case (internal, external, device, user).
• End-entity certificates: Short-lived where possible, with strict key usage and extended key usage (EKU) constraints.
• Revocation strategy: Combine CRL distribution points (CDPs) and OCSP responders for timely status checks.

Document certificate profiles, validity periods, key sizes (RSA 2048+ or ECDSA P-384+), and signing algorithms (SHA-384 or stronger) in a Certificate Policy (CP) and Certification Practice Statement (CPS).

Prepare the Environment

Select hardened operating systems for each CA. Many organizations use dedicated Windows Server instances or Linux with OpenSSL/EJBCA. Enable strict access controls, enable full auditing, and apply least-privilege principles.

Install required tools:

• On Windows: Active Directory Certificate Services (AD CS) with Certification Authority role.
• On Linux: OpenSSL, Easy-RSA, or enterprise solutions like EJBCA or Dogtag.

Configure network segmentation. Place the root CA on an isolated network with no persistent internet connectivity. Use removable media for certificate signing requests (CSRs) and signed certificates.

Install and Configure the Root CA

Bootstrap the root CA on an air-gapped system. Administrators generate a self-signed root certificate with a long validity period (10–20 years) and strong parameters.

On Windows AD CS:

• Launch Server Manager and add the Certification Authority role.
• Choose Enterprise or Standalone root CA.
• Select the cryptographic provider and key length.
• Set the common name clearly, such as “Legacy Haven Root CA v1”.

On OpenSSL:

Bash

openssl genrsa -out root.key 4096
openssl req -x509 -new -nodes -key root.key -sha384 -days 7300 -out root.crt -subj "/C=US/ST=Virginia/O=Legacy Haven/OU=PKI/CN=Legacy Haven Root CA v1"

Export the root certificate and import it into trusted root stores across your organization. Store the private key in an HSM and maintain offline backups in secure, geographically distributed locations.

Create Subordinate CAs

Generate CSRs on each subordinate CA and sign them with the root. This establishes the chain of trust.

For a Windows subordinate CA:

• Install AD CS in Subordinate CA mode.
• Submit the CSR to the root CA for signing.
• Install the signed certificate on the subordinate.

For OpenSSL-based subordinates, administrators create a new key pair, generate a CSR with appropriate extensions, and transfer it to the root for signing:

Bash

openssl genrsa -out intermediate.key 4096
openssl req -new -key intermediate.key -out intermediate.csr -subj "/C=US/ST=Virginia/O=Legacy Haven/OU=PKI/CN=Legacy Haven Intermediate CA - Internal"

At the root CA, sign the CSR with the root key, including basic constraints for CA:true and path length limits:

Bash

openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt -days 1825 -sha384 -extfile extensions.cnf

Where extensions.cnf specifies:

text

basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign, cRLSign

Distribute the signed subordinate certificate back to the issuing server and install it.

Configure Policies and Revocation

Define issuance templates or profiles that enforce:

• Key usage and extended key usage constraints.
• Certificate templates with version 3 extensions.
• Automatic enrollment where appropriate, with manual approval for high-assurance certificates.

Set up revocation infrastructure:

• Configure CRL publication on a highly available web server with predictable CDP URLs.
• Deploy OCSP responders for real-time status.
• Enable OCSP stapling on servers where supported.

Implement certificate lifecycle automation: automated renewal for short-lived certificates, monitoring for expiring certs, and strict processes for revocation upon compromise or termination.

Deploy and Validate the Hierarchy

Distribute the root and intermediate certificates through Group Policy, MDM solutions, or custom scripts. Test the full chain validation using tools like openssl verify, certutil, or browser developer tools.

Perform operational tests:

• Issue test certificates for web servers, client authentication, and code signing.
• Validate revocation by revoking a test certificate and confirming clients reject it.
• Simulate key compromise scenarios and execute recovery procedures.

Monitor CA health through audit logs, performance counters, and centralized SIEM integration.

Maintain and Evolve the PKI

Schedule periodic root and intermediate key rotations. Review the CP/CPS annually and after major incidents. Plan for crypto-agility by supporting multiple algorithms and preparing migration paths to post-quantum cryptography.

Integrate the PKI with identity systems, SASE frameworks, and workload orchestration platforms to support continuous authorization and least-privilege access.

Next Steps: Apply these PKI foundations directly in resilient Zero Trust architectures. Read the deep dive on designing resilient systems and Zero Trust at https://legacyhaven.university/designing-resilient-systems-zero-trust-architecture-zta-deep-dive/.

Implement this hierarchy methodically. Strong PKI practices protect every layer of your environment and form the backbone of modern security operations.