Public or Private Dedicated CAs

Branded intermediates, roots, and hierarchies hosted and maintained by GlobalSign

 

Control your chain of trust without managing PKI in-house

Dedicated intermediate CAs (ICAs), sometimes referred to as subordinate or issuing CAs, are used to issue end entity certificates exclusively for one specific company.  Having your own ICA or hierarchy gives you greater control over the chain of trust in your ecosystem, allowing you to only trust certificates issued from your trust model.

These CA hierarchies can be public or private trust and are branded to the customer, but they are hosted and managed by GlobalSign in our Web-Trust audited, secure data centers. Relying on GlobalSign to host your ICAs and roots ensures all CA components are properly protected and configured in line with the latest industry best practices - eliminating the cost and resource burden on internal teams to manage PKI. Note: In some rare cases (e.g., SSL inspection/decryption), the intermediate is hosted by the customer.

How It Works

GlobalSign supports both public trust customer-specific ICAs and private trust customer-specific hierarchies. Below are very simple examples of the many configurations we can support. With the exception of a few scenarios, all roots and ICAs are hosted and maintained by GlobalSign.

Example hierarchies

Reasons for Using a Dedicated CA or Root

Below are a few of the most common reasons a company would want their own intermediate CA or private hierarchy. This list is not exhaustive and we can support a variety of hierarchy and trust options. Contact us with specific questions.

Client Authentication

Client Authentication
Certificate-based client authentication often validates certificates based on intermediate CA. By having an exclusive subordinate CA, you can limit who has certificates that grant access to a system. These use cases generally use private trust hierarchies.

Branding

Branding
For companies that offer certificates to their end customers or bundle them into their services, having a dedicated subordinate CA in their name can offer some additional branding opportunities.

SSL/TLS Inspection

SSL/TLS Inspection/Decryption
In order for an SSL inspection appliance to decrypt and re-encrypt content, it must be able to issue certificates as needed. This means it needs its own subordinate CA and it cannot be publicly trusted. For this use case, GlobalSign hosts the root, and the ICA is hosted on the customer's inspection appliance.

Special Use Case Certificates

Special Use Case Certificates
Certificates issued under private hierarchies can support legacy application and unique configurations, such as longer validity periods and smaller key sizes, that are not permitted in publicly trusted certificates per CA/Browser Forum Baseline Requirements.

Note: if you only need private SSL/TLS, but not your own intermediate, we offer this through our IntranetSSL product.

Custom Profiles

Custom Profiles
You can configure a subordinate CA to meet your specific needs regarding extended key usage, certificate policy, CRL distribution, short-lived certificates and more.

Schedule a Demo 1-877-775-4562 or contact us online

Related Solutions

AEG

Auto Enrollment Gateway

Automate provisioning and management by leveraging Active Directory, SCEP, and ACME. Certificates can be issued from branded public intermediates, dedicated private hierarchies, or GlobalSign's shared public CAs depending on the use case.

DSS integration with custom document workflows

IoT Identity Platform

For organizations wanting to add a layer of manageability to the IoT chain of trust. Dedicated intermediate CAs accommodate custom certificate profiles, isolate individual workflows, and provide a higher degree of device identity management.