A subordinate CA is a certificate authority that derives its trust from a higher certificate authority rather than acting as the ultimate root. It matters because tiered trust reduces direct exposure of root authority and enables more controlled operational delegation.
What is Subordinate CA?
A subordinate CA can issue certificates or even additional subordinate authorities depending on policy and technical constraints. This structure supports operational flexibility, separation of environments, and reduced risk to top-level trust anchors.
What Subordinate CA Commonly Supports
Common uses include enterprise PKI layering, regional or business-unit trust separation, intermediate certificate operations, and delegated issuance.
Subordinate CA vs. Root CA
A subordinate CA derives trust from a higher authority. A root CA is the top-level anchor that does not itself derive trust from another CA in that chain.
Frequently Asked Questions
Why use subordinate CAs?
Because they allow operational delegation and separation without exposing the root to routine signing work.
Can a subordinate CA issue more subordinates?
Sometimes, depending on policy and technical constraints such as path length and program design.
