Subscribe to the Non-Human & AI Identity Journal

Certificate Authority Hierarchy

A certificate authority hierarchy is the chain of root and intermediate authorities used to issue and validate certificates. The hierarchy limits trust blast radius by separating high-value signing keys from operational issuance, but it only works when each layer is intentionally scoped and owned.

Expanded Definition

Certificate authority hierarchy is the trust structure that determines which certificate authorities can issue, delegate, and validate certificates across an environment. In practice, it usually includes a highly protected root CA, one or more intermediate CAs, and operational issuance boundaries that keep day-to-day signing separate from the most sensitive trust anchor. That separation matters because the compromise of a root CA has a far larger blast radius than the compromise of a single issuing tier.

In NHI and IAM programs, the hierarchy is not just a PKI design choice. It is a governance model for key custody, policy scoping, certificate path building, and revocation strategy. Definitions vary across vendors on how much hierarchy is necessary, but the security objective is consistent: minimise trust concentration while preserving verifiable chain-of-trust. A well-run hierarchy also makes ownership clearer, which is essential when machine identities outnumber human identities and certificate sprawl becomes difficult to track. The most common misapplication is treating the hierarchy as a one-time diagram, which occurs when teams issue certificates from operational CAs without enforcing ownership, rotation, and policy boundaries.

For broader identity context, see the Ultimate Guide to NHIs — What are Non-Human Identities and the NIST Cybersecurity Framework 2.0.

Examples and Use Cases

Implementing certificate authority hierarchy rigorously often introduces operational overhead, requiring organisations to balance stronger trust segmentation against more complex certificate lifecycle management.

  • An enterprise keeps its offline root CA sealed while using an intermediate CA for internal workload certificates, reducing exposure if routine issuance tooling is compromised.
  • A Kubernetes platform uses a dedicated issuing CA for service-to-service mTLS, with separate policy and renewal controls for each cluster or environment.
  • A regulated payment environment segments public-facing certificates from internal automation certificates so revocation and audit activity can be scoped to the affected trust domain.
  • A mergers-and-acquisitions integration team adds a transitional intermediate CA to bridge legacy systems while migration and ownership transfer are completed.
  • A security team maps certificate issuance events into central logging so it can investigate abnormal signing activity and correlate it with the Sisense breach lessons on identity-driven exposure.

These patterns align with certificate governance guidance in the NIST Cybersecurity Framework 2.0, where identity assurance, logging, and recovery all depend on knowing which authority issued which credential.

Why It Matters in NHI Security

Certificate authority hierarchy matters because NHI security fails fast when trust is over-centralised or poorly delegated. If one issuing layer is reused for too many workloads, a single key compromise can affect services far beyond the original scope. If ownership is unclear, revocation becomes slow, and expired or misissued certificates can interrupt automation, authentication, and service-to-service access. This is especially important in environments where certificates represent machine identity, workload identity, or agent credentials rather than just website encryption.

NHI Management Group research shows that 45% of organisations say certificate expiry is the leading cause of outages, and 61% still rely on spreadsheets or manual tracking for machine identity management. That combination creates a hierarchy that looks sound on paper but fails under operational pressure. Proper hierarchy design also supports Zero Trust by ensuring trust is verifiable, narrow, and revocable at each layer instead of being inherited blindly across the estate. Organisations typically encounter the need for stronger hierarchy controls only after an outage, a misissued certificate, or a compromise has already exposed how much authority one issuing chain actually held.

For machine identity risk context, review Ultimate Guide to NHIs — What are Non-Human Identities alongside the identity resilience focus in NIST Cybersecurity Framework 2.0.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers secret and certificate lifecycle risks tied to machine identities.
NIST CSF 2.0 PR.AA Identity and access assurance depends on trustworthy certificate issuance and validation.
NIST Zero Trust (SP 800-207) Zero Trust requires per-request trust evaluation rather than blanket trust in a certificate chain.

Limit CA scope, track issuance, and rotate certificates under explicit ownership and audit controls.