Defining CA Roles in the Trust Hierarchy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After you have designed the trust hierarchy for your organization, you must define the roles for your root, policy, and issuing CAs.

The root CA, for example, might be used to sign, certify, and/or revoke subordinate CAs. Intermediate or policy CAs might serve internal or external customers, or, in larger organizations, might serve more specialized functions or locations. Issuing CAs and RAs might be defined according to the clients that they serve or the certificates that they issue.

You might choose to select some or all of the following roles for your intermediate and issuing CAs:

  • Intermediate CA. Certifies subordinate CAs to issue certificates.

  • Rudimentary CA. Issues certificates for the most basic operations, such as user authentication without an identity check.

    Note

    • Stand-alone CAs are primarily used in intermediate and rudimentary roles.
  • Basic security CA. Issues certificates, based on an Active Directory identity check, to users and computers that do not have special security requirements.

  • Medium security CA. Issues certificates to users and computers that meet special security requirements and whose identities are validated in Active Directory.

  • High security CA. Issues certificates to users or computers that meet especially high security requirements, and whose identities must be verified by means of the examination of physical credentials.

    Note

    • Enterprise CAs are primarily used for basic, medium, and high security roles.

Keep the following considerations in mind as you define CA roles:

  • Use a three-tier hierarchy with policy CAs only if necessary.

  • Third-party CAs can form all or part of a Windows ServerĀ 2003 CA trust hierarchy.

  • Some third-party products might require other CA trust models that might not be interoperable with rooted CA hierarchies. Windows ServerĀ 2003 and most commercial CAs support rooted CA hierarchies.