Most medium to large enterprises manage their own PKI. While it may sound simple, there are many parts to it, and many considerations to be made. The typical setup of a multi-tiered PKI includes an offline root CA. This root CA is initially used to generate certificates for subordinate CAs that will be the actual, online CAs that serve certificates.

The validity period of certificates gets smaller the further we descend. The offline root CA has the longest validity period (for example, 10 years). A subordinate CA always has a shorter or equal validity period (for example, five years). Any certificates signed by the subordinate CA have the shortest validity period. Usually, enterprises renew their certificates yearly.