Designing Root CAs

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A CA infrastructure consists of a hierarchy of CAs that trust one another and authenticate certificates belonging to one another. Within this infrastructure, a final authority, called a root CA, must be in place. The root CA certifies other certification authorities to publish and manage certificates within the organization. Before you establish a CA hierarchy, you must determine the following:

• Who designates the root certification authority in the organization. For example, determine whether this is the responsibility of central IT, divisional IT departments, or a third-party organization.

• Where the root certification authority is to be located.

• Who manages the root certification authority.

• Whether the role of the root CA is only to certify other certification authorities, or also to serve certificate requests from users.

After you have made these determinations, you can define the roles for any additional certification authorities, including who manages them and what trust relationships they have with other CAs. For more information about CA roles, see "Defining CA Roles in the Trust Hierarchy" later in this chapter.