Using a New Root CA Configuration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You or your partner organization can create a new root CA to establish an extended CA infrastructure that supports your business requirements. The structure of this extended CA infrastructure is similar to that of an extended infrastructure based on a third-party rood CA. With a new root CA configuration, however, you and your partner organization must create a security management infrastructure, and must take responsibility for administering and maintaining the extended PKI. If one organization assumes this responsibility, the other organization must trust that its partner will protect the security interests of both parties.

This option can be more cost-effective than using a third-party root CA. In addition, you can use Windows Update to distribute new root certificates, improving reliability and decreasing costs.

The planning considerations for a new root CA–based extended infrastructure are similar to those that apply to your existing internal PKI. You and your partner organization are responsible for creating administrative policies for the root CA and enforcing the integrity of the new root.