This figure shows a very simple certificate authority hierarchy consisting of a root CA at the top, which controls two subCAs each of which is represented by a subordinate box. Each subCA is online and directly serves the certificate needs of users in its region.