The following three reasons explain why setting up a three-tiered Certificate Authority (CA) hierarchy is usually a better approach than using a one- or two-level CA. First, you should never issue certificates from the root CA for anything but an intermediate CA. The validity of all certificates in the rest of the chain depends on the integrity of the root certificate. If the root certificate’s private key is lost, stolen, or otherwise compromised, then all other certificates in the chain are worthless. By creating a hierarchy of CAs, you can operate the root CA server off the network, in a physically secure environment to better protect it. Second, creating intermediate CAs lets you define different certificate policies for different groups of users. For example, you might want to create separate CA servers for disparate geographic regions because of business, management, or legal concerns, or you might need to create certificates that will be used in regions of the world that are less stable and secure than others. Also, when a CA issues a certificate, the CA specifies a certificate's lifetime or validity period. When the possibility of certificate compromise—or worse, CA compromise—is likely, issuing certificates with a shorter life span is a good idea. By creating multiple intermediate CAs, you can define longer lifetimes for certificates used in some parts of the world, and shorter lifetimes for others. And third, creating multiple issuing CAs lets you distribute the load if you need to manage many certificates.
