Share via


Public Key Policies overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Public key policies overview

You can use the public key policy settings in Group Policy to:

  • Have computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate. This is useful for ensuring that computers have the certificates that they need to perform public key cryptographic operations in your organization, for example, for Internet Protocol security (IPSec) or for client authentication. For more information about certificate autoenrollment for computers, see Automatic certificate request settings.

  • Create and distribute a certificate trust list (CTL). A certificate trust list is a signed list of root certification authority certificates that an administrator considers reputable for designated purposes such as client authentication or secure e-mail. For example, if you want to trust a certification authority's certificates for IPSec, but not for client authentication, you can implement that trust relationship with a certificate trust list. For more information about certificate trust lists, see Enterprise trust policy.

  • Establish common trusted root certification authorities. You can use this policy setting to make computers and users subject to common root certification authorities (in addition to the ones that they already trust individually). It is not necessary to use this policy setting for certification authorities in a domain, because they are already trusted by all users and computers in the domain. This policy is primarily for establishing trust in a root certification authority that is not a part of your organization. For more information about root certification authorities, see Policies to establish trust of root certification authorities.

  • Add encrypted data recovery agents, and change the encrypted data recovery policy settings. For more information about this policy setting, see Recovering data. For a general overview of Encrypting File System (EFS), see Encrypting File System overview.

It is not necessary for you to use these public key policy settings in Group Policy to deploy a public key infrastructure in your organization. However, these settings give you additional flexibility and control when you establish trust in certification authorities, issue certificates to computers, and deploy EFS across a domain.