CA role service holders responsible for issue, store, manage, and revoke certificates. The PKI setup can have multiple CAs. There are mainly two types of CA, which can be identified in PKI:

• The root CA: The root CA is the most trusted CA in the PKI environment. The compromise of the root CA will possibly compromise entire PKI. Therefore, the security of the root CA is critical, and most organization only bring those online when they need to issue or renew a certificate. This is also capable of issuing certificates to any object or services, but considering security and hierarchy of the PKI, it is used to issue certificates only to subordinate CAs.
• Subordinate CAs: In PKI, subordinate CAs are responsible for issuing, storing, managing, and revoking certificates for objects or services. Once CA receives a request, it will process it and issue the certificate. PKI can have multiple subordinate CAs. Each subordinate server should have its own certificate from the root CA. The validity period of these certificates is normally longer than ordinary certificates. It also needs to renew its certificate from root CA when it reaches the end of the validity period. Subordinate CAs can have more subordinate CAs under them. In such situations, subordinate CAs are also responsible for issuing certificates for their more subordinate CAs. These subordinate CAs, which have more subordinate CAs, are called intermediate CAs. These will not be responsible for issuing certificates to users, devices, or services. The subordinate
  servers which issues certificates will be called issuing CAs: