Deploying a 2-Tier PKI Infrastructure

Jan 20, 2025

Maurice Suter

ICT System Engineer

Security first! I implemented a proper 2-tier PKI with an offline Root CA and an online Enterprise Issuing CA.

The Root CA lives on an air-gapped VM that only comes online for CRL updates. The Issuing CA handles all certificate requests and integrates with Active Directory for auto-enrollment.

This setup follows Microsoft best practices and provides enterprise-grade certificate services.

ZFS on Proxmox: Mirror vs RAIDZ

Building a Multi-Domain AD Forest