Hi, currently we have 3 production forests completely isolated from one another with each production forest having 1-Tier PKI with Enterprise Issuing CA only so there is no Standalone Offline Root CA other CAs are its subordinates. I am thinking of creating a brand new management forest where I would like to implement 2-Tier PKI capable of enrolling certificates to users/computers in all 3 production forests - InfoSec team will allow two-way trust between production forests and management forest with selective authentication in direction production forest --> management forest.
I was following article and scenario covered is when there is Standalone Offline Root CA with its Enterprise Subordinate Issuing CA in each forest. Does it mean I can not perform consolidation and have 2-Tier PKI only in management forest enrolling certificates to users/computers in all 3 production forests? If answer is that I can not what options are left?
Thank you very much in advance!