PKI Offline Root CA signing two different domains

Question

Hi,

We currently have a PKI config. of 1 rootCA (offline) and two subordinate CAs within our staff domain (ie staff.domain.com)

We also have another domain that currently does not have PKI infrastructure, lets call this public.domain.com

Since the root CA is not domain joined and its offline, can I configure this in a way where the rootCA also signs the certificates for subordinate CAs in the public.domain.com, there is no trust between both domains and they are not in a forest.

So one root CA and two different domains.

thank you!

Answer 1

Hello ogo-2020,
Thank you for posting in our Q&A forum.
I think your requirements can be achieved.

So in your case, the PKI structure is like:
Root CA is not in any domain (offiline standalone root CA and even without Internet).
Two sub CA servers are in domain named staff.domain.com.
One sub CA server is in domain named public.domain.com.
Domain staff.domain.com and public.domain.com are different domains without trust.

Here is a similar thread for your references.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/7be51ccb-e15a-4098-b4ef-bb82980ece9c/can-we-use-single-root-ca-for-two-different-forests#:~:text=Yes%2C%20this%20configuration%20is%20possible.%20You%20will%20need,in%20ForestA%20and%20SubCA-B%20is%20installed%20in%20ForestB.

Tip: Please set up such PKI structure in test lab first and if there is any error or issue, then you can deploy it in production environment.

Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.