Historical Content Alert

This is a historical content for Windows NT 4.0 product and is presented for informative purposes only. All content in this directory is copyrighted and owned by Microsoft.

CA Certificates

In addition to the server and client authentication certificates issued by Microsoft® Certificate Server, there are certificates that identify Certificate Authorities (CAs). These are called CA (and sometimes site) certificates.

The CA certificate is a signature certificate that contains a public key used to verify digital signatures. It identifies the CA that issues server or client authentication certificates to the servers and clients that request these certificates. Clients use the CA certificate of the CA issuing the server certificate to validate the server certificate. Servers use the CA certificate of the CA issuing the client certificate to validate the client certificate.

A self-signed CA certificate is also called a root certificate because it is the certificate for the root CA. The root CA must sign its own CA certificate because by definition there is no higher certifying authority to sign its CA certificate.

Note One other kind of certificate, the key exchange certificate, is also used by Microsoft® Certificate Server. The key exchange certificate is used by client applications to encrypt information to the server on rare occasions.

Share this article: