As mentioned in the two tier hierarchy explanation, the two tier hierarchy has two CA types: Root CA and Issuing/Subordinate CA.
As the name implies, the Root CA is the root of trust for your PKI. To trust a certificate chain, the root certificate has to be added to the trusted root store of the operating system. How To Trust a New Root CA.
Since the root CA is the root of trust for your certificate chain, it has to be the most protected asset of your organization. If an attacker gets control of this CA they have the keys of the kingdom. This is why Root CAs are usually kept offline on a secure undisclosed location and are only turned on by the PKI team when a new Issuing CA is being Issued or a CRL is being signed.
When we designed EZCA we understood that we would have customers that would have existing Offline Root CAs that are already managed by their PKI team, and customers that do not have a root CA and do not want the cost and responsibility that comes with managing a Root CA. This is why we support both bring your own Root CA and managed Root CA. Learn More About Creating Your First Root CA
In a two tier hierarchy, the subordinate CA responsible to issue certificates to end users. To inherit the trust of the Root CA, the subordinate CA is signed by the root CA. One Root CA can have multiple subordinate CAs. It is recommended to separate subordinate CAs by the types of certificates they issue (for example S/MIME and SSL). Other common scenarios that call for multiple issuing CAs is having a CA for ECDSA certificates and another for RSA, or simply for geo-redundancy.
EZCA allows you to create geo-redundant subordinate/issuing CAs in minutes. To meet our customer’s needs we allow you to chain your CA up to a offline Root managed by your organization or to a EZCA Root CA. Create Your First Subordinate CA