Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Best practices

  • Plan your public key infrastructure (PKI) before deploying certification authorities (CAs).

    See Certificate Services Concepts and the resources listed in Resources: Public Key Infrastructure for information that will assist you with planning a PKI.

  • The root certification authority (CA) should be offline and its signing key should be secured by hardware and kept in a vault to minimize potential for key compromise.

    For more information, see Checklist: Creating a certification hierarchy with an offline root certification authority

  • If you are going to use a custom policy module for a Windows 2000 certification authority, you should install Certificate Services using stand-alone policy and then replace stand-alone policy with your custom policy. Replacing enterprise policy on a CA with a custom policy is not supported and will have unpredictable results
  • Only change security permissions for the certification authority (CA) using the Certification Authority snap-in. Setting permissions using other mechanisms (such as the Active Directory Sites and Services snap-in) may create problems when for users attempting to access and request certificates from the certification authority.

    For more information, see Set security permissions and delegate control of a certification authority

  • Organizations should not issue certificates to users or computers directly from the root certification authority (CA) but rather should deploy at least a three-level CA hierarchy compromised of Root-Intermediate-Issuer CAs to provide flexibility and insulate the root certification authority from attempts to compromise its private key by malicious individuals.

    For more information, see

  • Backing up the certification authority (CA) database, the CA certificate and the CA keys is essential to protect against the loss of critical data. The CA should be backed up on a regular basis (daily, weekly, monthly) based on the number of certificates issued over the same interval. The more certificates issued, the more frequently you should back up the CA.

    For more information, see Backing up and restoring a certification authority

  • You should review the concepts of security permissions and access control in Windows, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester.

    For general information about access control and security permissions in Windows 2000, see Access Control. For the procedure to set access control on a CA, see Set security permissions and delegate control of a certification authority. For the procedure to set enterprise-wide access control on certificate templates, see Set security permissions and delegate control of certificate templates.

Share this article: