It's unclear from what's described to have the whole context to
answer your specific questions, but I can answer the question
regarding Dogtag. See below.
I got perfect answers from both Fraser and you. Thanks a lot.
As I initially thought, a FreeIPA ( or Dogtag with less features....(?)) is still the best idea.
But our (MS) AD/PKI admins had some doubts, and were convinced you have to deploy subCA CA certificates to clients.
To conclude:
- it is much simpler for our team to setup FreeIPA CA services as a subCA also because we don't need to create and secure and offline CA in that case.
- we don't need to distribute certs to windows clients
- the rootCA (AD PKI) can always revoke our subCA when there is a problem/breach. Correct?
-- Pieter