Hi, we have Enterprise Root Issuing CA in the US. It issues all sorts of certificates to both computers/users in all our locations (US, Serbia, Malta ...). One of them is user certificate which must be valid in order to let him/her into LAN via VPN (FortiClient). We are worried about consequences of WAN link between Serbia/Malta and HQ in US (where CA resides) being down for any reason - people would not be able to get VPN access and work remotely. Since CA we only have at the moment is Enterprise Root Issuing CA what do you think about setting up subordinate enterprise issuing CAs in Serbia and Malta to address problem if WAN link is down or there is something better to be done.
Thank you in advance!