Generally it is recommeded to build a PKI server as Root-CA. Then each KS can register with the Root-CA and become Sub-CA. Then the KS routers register with each Sub-CA. Now the Root-CA can be taken off-line. GM's only need to get a cert from one of the sub-CA servers.
Hope this helps.
Thanks,
Chetan
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.