Hi,
I've been asked to look into getting a new cert for use on a FortiGate Firewall for Inspection and I'm afraid its for the most part not something I'm familiar with. I've done a fair bit of work with SSL certs for websites / external SSL but wasn't involved in any of the initial setup of the MS PKI or inspection cert setup.
I've got a RootCA (Standalone CA) and 2 SubCA's (Enterprise CA) and I'm not 100% sure what the usual way to request a new certificate for packet inspection would be - at the Root Level (so under the root there would be 3 CA's, two Enterprise and 1 for use on inspection) or if the inspection cert should be issued via one of the enterprise CA's.
In my mind I'm thinking at the RootCA would be easiest as it keeps all the SubCA's at the same 'tier' but I can't find very much info on what would be recommended. One thing which has cropped up is the RootCA has "Path Length Constraint=2" and the SubCA's a "Path Length Constraint=0" so I'm I right in thinking the only option would be to issue it from the RootCA?