The first step to establish a certification hierarchy is to install a root certification authority (CA).
The installation process for a Certificate Services root authority generates a root CA certificate containing the CA's public key and the digital signature created using the root's private key. If the root authority is installed using Windows 2000 Certificate Services on a server that has access to Active Directory, the root authority's certificate will automatically be placed in all domain users' Trusted Root Certification Authorities certificate store thereby establishing domain-wide trust in the root CA.
If your organization is using a third-party certification authority from outside your organization as the root authority (such as Verisign), you will need to obtain the root certificate and distribute it to any user and computer that needs to establish trust in the third-party root authority. One way to distribute a third party's root certificate to Windows 2000 users is to use a certificate trust list (CTL) via Group Policy. See Enterprise trust policy for more information about distributing third party root certificates using Group Policy.
If your organization is using its own non-Microsoft certification authority (CA) as the root authority, you will need to obtain the root certificate and distribute it to any user and computer that needs to establish trust in the non-Microsoft CA root authority. One way to distribute a non-Microsoft root certificate to Windows 2000 users is to use the Trusted Root Certification Authorities policy setting via Group Policy. See Policies to establish trust of root certification authorities for more information about distributing non-Microsoft root certificates using Group Policy.
After trust in a root authority has been established, you can install certification authorities (CAs) that are "subordinate" to the root CA as well as installing subordinate CAs that are subordinate to other subordinate CAs. By doing this, you can create a chain of parent-child relationships between CAs that serve different functions in an organization's public key infrastructure (PKI). The only significant difference in the installation process between a root CA and a subordinate CA is that a certificate request is generated for submission to another CA by a subordinate CA instead of creating a self-signed certificate. This request may be routed automatically to online CAs located via Active Directory, or routed manually if offline. In either case, the resulting certificate must be installed on the new subordinate CA before it can begin operation.
Note that there is a relationship between the enterprise CAs and the Windows 2000 domain trust model, but this does not imply a direct mapping between CA trust relationships and domain trust relationships. There is nothing that prevents a single CA from servicing entities in multiple domains or even entities outside the domain boundary. Similarly, a given domain may have multiple enterprise CAs.
For a brief overview of certification hierarchies, see Certification authority hierarchies.
For extensive information about planning certification hierarchies, refer to the Windows 2000 Resource Kits.