Rooted Trust Model

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In a rooted trust model, the root CA is the trust anchor and has a self-signed certificate. The root CA issues a certificate to all direct subordinate CAs, if needed, which, in turn issue certificates to their subordinate CAs. A subordinate CA is trusted cryptographically, based on the signature of its parent.

Figure 16.6 illustrates the rooted trust model.

Figure 16.6   Rooted Trust Model

Rooted Trust Model

Numerous products and services offered by major software vendors, including Microsoft, support rooted trust hierarchies. You can add a new CA to a rooted trust hierarchy by enrolling it to a CA anywhere in the trust hierarchy. If you create a new trust hierarchy, it only needs to trust the root CA of the new PKI in order to trust all the subordinate CAs in the new hierarchy.

A rooted trust model enables you to compartmentalize risks, management, and certificate processing. Rooted trust hierarchies are more scalable and easier to administer than other hierarchies because each CA serves a single role within the hierarchy and is not operationally dependent on other CAs.

Any CA in a rooted trust hierarchy is either a root or a subordinate but never both. Each CA is responsible for processing requests and issuing certificates signed by its own key; each CA is responsible for revoking certificates and publishing CRLs to accessible locations; and each CA can be managed separately by different personnel in different parts of an organization.

Because CAs in a rooted trust hierarchy can be online or offline, rooted trust hierarchies allow great flexibility in the ways in which you can deploy and manage a PKI. You can protect the private key of a CA by taking the CA offline. Because offline CAs are typically the root and/or policy CAs that only issue certificates to other CAs, taking the CA offline does not impact other parts of the hierarchy.

Because most protocols deliver a chain of certificates that terminates in a trusted root CA, rooted trust hierarchies provide a straightforward means by which CAs can determine whether a certificate can be trusted.

Note

  • If the certificate of a root CA expires, all certificates that are issued by the root CA or by its subordinate CAs also expire. For more information about managing certificate lifetimes, see "Selecting Certificate Security Options" later in this chapter.