Certification authorities

A certification authority (CA) is an entity entrusted to issue certificates to individuals, computers, or organizations that affirm the identity and other attributes of the certificate subject to other entities. A CA accepts a certificate request, verifies the requester's information according to the policy of the CA, and then uses its private key to apply its digital signature to the certificate. The CA then issues the certificate to the subject of the certificate for use as a security credential within a public key infrastructure (PKI). A CA is also responsible for revoking certificates and publishing a certificate revocation list (CRL).

A CA can be a remote third party, such as VeriSign, or it can be a CA that you create for use by your organization by installing Windows 2000 Certificate Services. Each CA can have distinct proof-of-identity requirements for certificate requesters, such as a Windows 2000 domain account, employee badge, driver's license, notarized request, or physical address. Identification checks such as this often warrant an onsite CA, so that organizations can validate their own employees or members.

Enterprise CAs in Windows 2000 use a person's Windows 2000 user account credentials as proof of identity. In other words, if you are logged on to a Windows 2000 domain and request a certificate from an enterprise CA, the CA knows that you are who Active Directory says you are.

Every CA also has a certificate to confirm its own identity, issued by another trusted CA or, in the case of root CAs, issued by itself. It is important to remember than anyone can create a CA. The real question revolves around whether you, as a user or an administrator, trust that CA and, by extension, the policies and procedures that CA has in place for confirming the identity of the entities issued certificates by that CA.

For more information about certificates, see Certificates overview.

Root and subordinate certification authorities

A root CA, sometimes called a root authority, is meant to be the most trusted type of CA in an organization's PKI. Typically, both the physical security and the certificate issuance policy of a root CA are more rigorous than those for subordinate CAs; if the root CA is compromised or issues a certificate to an unauthorized entity, then any certificate-based security in your organization is suddenly vulnerable. While root CAs can be used to issue certificates to end users for such tasks as sending secure e-mail, in most organizations they will only be used to issue certificates to other CAs, called subordinate CAs.

A subordinate CA is a CA that has been certified by another CA in your organization. Typically, a subordinate CA will issue certificates for specific uses, such as secure e-mail, Web-based authentication, or smart card authentication. Subordinate CAs can also issue certificates to other, more subordinate CAs. Together, a root CA, the subordinate CAs that have been certified by the root, and subordinate CAs that have been certified by other subordinate CAs form a certification hierarchy.

For more information about certification hierarchies, see Certification authority hierarchies.

Enterprise and stand-alone certification authorities

This version of Certificate Services supports the installation of stand-alone CAs and enterprise CAs. For information about the operational characteristics of enterprise CAs and standalone CAs, see Enterprise certification authorities and Stand-alone certification authorities.