Policies to establish trust of root certification authorities

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Policies to establish trust of root certification authorities

When a client presents a certificate to a host, the host has to trust the certificate of the root certification authority (CA) in the certification path to accept the certificate as a valid credential. You might want to establish trust automatically in specific root CAs for groups of users or computers.

You can use the public key policy in Group Policy to establish common trusted root CAs for the users and computers associated with a Group Policy object (GPO). When you apply the GPO to a site, domain, or organizational unit, the corresponding computers inherit the policy. These computers then trust the root CAs whose certificates you imported into the trusted root certification authority policy.

You have the option of designating trusted CAs by using either the trusted root certification authority policy or the enterprise trust policy. Use the following guidelines in determining which policy to use:

• If your organization has its own Windows 2000 root CAs and uses Active Directory, you do not need to use the Group Policy mechanism to distribute the root certificates.

• If your organization has its own root CAs that are installed on servers not running Windows 2000, use the trusted root certification authority policy to distribute your organization's root certificates. For more information, see Trusted root certification authority policy.

• If your organization does not have its own CAs, use the enterprise trust policy to create certificate trust lists (CTLs) to establish your organization's trust of external root CAs. For more information, see Enterprise trust policy.

For more information, see Public Key Policies overview.