A subordinate CA certificate used to issue end-entity certificates while keeping root keys offline and protected.