In the hierarchical model, what does a single certificate authority (CA), called the root, issue certificates to?

In the hierarchical model of Public Key Infrastructure (PKI), the root certificate authority (CA) serves as the foundation of the trust hierarchy. The root CA is responsible for issuing certificates to several intermediate certificate authorities. These intermediate CAs then act as brokers, issuing certificates to end-users, devices, or additional subordinate CAs.

This structure allows for effective management of the PKI by distributing the responsibility of certificate issuance and maintaining trust relationships. It mitigates risk; if an intermediate CA needs to be revoked or compromised, only that part of the hierarchy is affected, leaving the root CA and other intermediate CAs intact. This cascading approach to managing certificates enhances scalability and security across the entire system.

In contrast, while the root CA does ultimately tie back to end-users through intermediate CAs, it does not typically issue certificates directly to end-users or subjects or to registration authorities, which serve different roles in the PKI ecosystem. The hierarchical structure ensures that the root CA's role is primarily as a credential issuer for intermediate CAs, reinforcing the integrity and trustworthiness of the certificate issuance process.