How Many Tiers Should a PKI Have?

Public CAs use a two (or three) Tier PKI, i.e. the so-called leaf certificate of the end user is issued by an Issuing CA, sometimes called Subordinate CA or Intermediate CA. This Issuing CA is issued by a Root CA. A certificate is trusted when this issuance chain ends in a Root CA trusted by the client.

Internal CAs often use a Single Tier PKI, i.e. the Root CA directly issues the leaf certificates for the end users without an Intermediate CA.

What happens if an Internal Issuing CA is compromised? If you have a separate Root CA, you can revoke the Issuing CA certificate, of course. CRLs of Root CAs are usually valid for 6 or 12 months; even if you issue a new CRL immediately after the Issuing CA certificate is revoked, clients might not fetch a new CRL for months. In this time frame, the attackers can still use the certificates created with the compromised Issuing CA. Thus, the responsible solution would be the same whether you have single or multi-tier PKI: You would remove the Root CA from the devices' trust store. With Intune-, Jamf- or AD-managed devices (probably most other MDMs, too), this is a few clicks and then applies to all online devices in seconds (Intune, Jamf) or hours (AD). In any case much faster than the revocation method! If you have multiple Issuing CAs created by the Root CA, though, you would also invalidate the uncompromised Issuing CAs using this method, so the two-tier PKI would actually make it more difficult to invalidate the compromised CA. You could use OCSP for the Root CA, but then your OCSP responder would be reachable from the internet. If your CA itself was the OCSP responder, it couldn't be an offline CA anymore. If you used a dedicated OCSP responder, this would make the architecture much more complex, with a very limited security benefit.

For Public CAs, it is also a slow and complex thing to push a new Root CA certificate to devices. Usually, this is part of an OS or browser update, so it takes months and years to reach most devices. From a management perspective, it also makes sense for a Public CA to have a separate Root and Issuing CA. But for your Internal CA, it takes just a few minutes to push a new Root CA to all of your managed devices. It is only if you have a very heterogeneous IT landscape that I would recommend the two-tier PKI for an Internal CA. Let's say you have many unmanaged Linux devices or you are using Thunderbird with its separate certificate store or something the like. Otherwise, the two tiers are no real benefit.

While Public CAs must use Multi-Tier CAs, for an Internal PKI, usually a Single-Tier PKI is superior to a Multi-Tier CA. Even if it was on par, the Single-Tier PKI has the simpler architecture, so it is easier to setup and maintain, it has less attack vectors, and it is more flexible to extend or shrink by adding or removing Root CAs.