As the number of issued certificates in a public key infrastructure (PKI) increases, it can become difficult for a single certification authority (CA) to effectively track the certificates it has issued. One way to address this is to create a certificate hierarchy in which the CA delegates the authority to issue certificates to subordinate authorities which can, in turn, delegate authority to their subordinates. Each CA delegates authority by issuing a CA certificate to a subordinate. The initial CA in the chain is called the root, and it is not necessary for an entity to establish trust with any CA that resides on a different Certificate Chain from that on which the entity resides.
The following illustration shows a certificate hierarchy made up of one root CA, two CAs subordinate to the root (one for the marketing department and one for the manufacturing department), and CAs that are subordinate to these.