This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 28.000000000000004%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hello
We have several small companies that fall under a single parent company and are all managed in a single AD domain using a decentralized administration approach. Each company has their own OU.
Mobile users in each office use a device certificate based authentication VPN to access corporate resources. The common name of the certificate is based on the device itself.
Currently all certificates for all companies are created from a single Windows CA. The problem with this design is that our inventory tracking isn't great and recently a user lost their tablet. We didn't know which certificate to revoke which resulted in us revoking all of them.
We would like to have dedicated certificate authorities for each company - that way if someone in company A loses a tablet and we don't know which individual certificate to revoke, we can just revoke all certificates for that company instead of all of them.
I wanted to get some input on the best design to accomplish this. Should we have a single offline Root CA directly under the parent company with SubCAs in each child company? Should we publish all CRLs to the same location or should each company also have their own CRL location?
Thank you in advance.