Selecting an Extended CA Infrastructure Configuration

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use one of three configurations to create an extended CA trust infrastructure:

  • Third-party root CA. Use a third-party CA as a root CA for a new extended CA hierarchy shared between two organizations.

  • New root CA. Establish your own new root CA to combine separate CA hierarchies for two organizations.

  • Cross-certification and qualified subordination. Keep the existing CA hierarchies separate, but use cross-certification and qualified subordination to implement as much or as little trust as needed between the two organizations.

There are advantages and disadvantages to each approach. If you need to extend your CA infrastructure to include third-party PKIs, you need to evaluate the requirements of your organization to determine the method that is most appropriate for you.