Install Certification Authorities

You must install the CA hierarchies necessary to provide the required certificate services for your organization. You install the root CA first and then each subordinate CA in the hierarchy. For example, to create a three-level CA hierarchy and trust chain, you install CAs on server computers in the following order:

1. Root CA

2. Intermediate CAs

3. Issuing CAs

The root CA certificate is self-signed. Each subordinate CA is certified (issued its certificate) by the parent CA in the hierarchy. In the example of a three-level certificate hierarchy, each intermediate CA is certified by the root CA and each issuing CA is certified by an intermediate CA in the hierarchy.

Note

It is possible for an intermediate CA to be certified by another intermediate CA, creating a deeper hierarchy.

You can install enterprise CAs, stand-alone CAs, or third-party CAs to create the required trust chains. To create a Windows 2000 Server CA, use the Add/Remove Software wizard in Control Panel to add Microsoft Certificate Services to each CA server.

During installation of Windows 2000 Server subordinate CAs, you can request the subordinate CA certificate from an online CA, or you can save the certificate request to a request file and make the certificate request offline. If you make an offline CA certificate request, the CA is not certified. You must manually use the Certification Authority MMC snap-in to import the CA's certificate and complete the CA installation after the certification authority's certificate has been issued by the parent CA. You can also use the same snap-in to import subordinate CA certificates issued by third-party parent CAs.