If a subordinate CA is compromised—whether through malware, unauthorized access, or cryptographic exploitation—its certificates can no longer be trusted. Every certificate issued by that CA will have to be revoked and after the CA is rebuilt, reissued. If the PKI is configured as a single tier, then everything is lost.
But with two, or more, tiers you have options. Since the root CA remains protected, it can revoke the compromised CA’s certificate and issue a new one. Once the compromised CA’s certificate is revoked, all certificates it issued are invalid. But since this CA is not the root of trust for your PKI, there is a path to recovery.
Administrators can rebuild a secure PKI environment without requiring a complete reset of the root CA, minimizing downtime and damage. A new issuing CA is created and since the endpoints trust the root CA, they trust the CAs that are subordinate to it. Endpoints can safely download and install the new issuing CA’s certificate and reestablish trust with the certificates it issues.