Generally it is recommeded to build a PKI server as Root-CA. Then each KS can register with the Root-CA and become Sub-CA. Then the KS routers register with each Sub-CA. Now the Root-CA can be taken off-line. GM's only need to get a cert from one of the sub-CA servers.
Hope this helps.
Thanks,
Chetan
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: