Establishing a CA Naming Convention

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you configure CAs in your organization, you must establish a CA naming convention. Names for CAs cannot be more than 64 characters in length. You can create a name using any Unicode character, but you might want to use the ANSI character set if interoperability is a concern. The CA name does not have to be identical to the name of the computer.

The name that you specify when you configure a server to be a CA becomes, in Active Directory, the common name of the CA, and is reflected in every certificate that the CA issues. For this reason, it is important that you do not use the fully qualified domain name (FQDN) for the common name of the CA. This way, malicious users who obtain a copy of a certificate cannot identify and use the fully qualified domain name of the CA to create a potential security vulnerability.

Note

• You cannot change the name of a server after Certificate Services has been installed without invalidating all the certificates issued by the CA. To change the server name after Certificate Services has been installed, you must uninstall the CA, change the name of the server, reinstall the CA, and reissue all the certificates issued by the CA. You do not have to reinstall a CA if you rename a domain; however, you will have to reconfigure the CA to support the name change.