Configure Public Key Group Policy
You can use the Group Policy MMC snap-in to configure public key Group Policy for sites, domains, and organizational units. You can configure the following optional categories of public key policy:
EFS Recovery Agents
By default, the local Administrator user account for the first domain controller installed in the domain is the EFS recovery account for that domain. You can specify alternate encrypted data recovery agents for EFS by importing the appropriate alternate agent's EFS recovery agent certificate into policy. Therefore, you must first issue EFS recovery agent certificates to the user accounts on the local computers that you want to use as alternate recovery agents.
Automatic Certificate Enrollment
You can specify automatic enrollment and renewal for computer certificates. When automatic enrollment is configured, the specified certificate types are issued to all computers within the scope of the public key Group Policy. Computer certificates issued by automatic enrollment are renewed from the issuing CA. Automatic enrollment does not function unless at least one enterprise CA is online to process certificate requests.
For virtual private networks (VPNs) using IPSec with L2TP, remember to set up Group Policy to permit automatic enrollment for IPSec certificates. In Table 12.2, any Rivest-Shamir-Adleman (RSA)-signed certificate issued to a computer that is stored in the computer account can be used for IPSec. For more information about certificates for L2TP over IPSec VPN connections, see Windows 2000 Server Help.
Root Certificate Trust
When you install an enterprise root CA, the CA's certificate is added to the trusted root certification authorities for the domain. You can also interactively add certificates for other root CAs to the Trusted Root Certification Authorities container in the Group Policy MMC snap-in. The root CA certificates that you add become trusted root CAs within Group Policy. If you want to use a stand-alone CA or a third-party CA as a root CA in a certification hierarchy, you need to add the CA's certificate to the trusted root certification authorities container in Group Policy.
Certificate Trust Lists
You can create certificate trust lists to trust specific CAs and to restrict the uses of certificates issued by the CAs. For example, you can use a certificate trust list to trust certificates issued by a commercial CA and restrict the permitted uses for those certificates. You can also use certificate trust lists to control trust on an extranet for certificates issued by CAs that are managed by your business partners.
For instance, your company might be engaged in a joint venture with another company. The partner company could issue its own certificates for Web access, secure e-mail, software signing, and so forth. You might want to exchange secure e-mail with employees of the partner company, but you do not want to issue certificates for this purpose. You can add the other company's root CA to a new certificate trust list in your enterprise trust container, specifying that the partner certificates will be trusted for e-mail only.