I am looking to deploy a small but secure 2 tier PKI infrastructure.
The RootCA will be importing an existing externally provided private.key into a Standalone CA/Root CA server (which will be off-lined once configured).
There will also be a SubCA server (online domain attached) offering the issuing and enrolment services to the devices/workstations/user/smart cards/network devices.
My quick (quick one I hope) is that with the externally imported key, this then becomes our RootCA which we can take off line and store securely away, and we are then just left with a SubCA servers providing the above services?
We will have numerous certificate templates in place on the SubCA for the various tasks.
We are also looing to use a external HSM device to store the RootCA private.key as an additional backup.