Certificates and certification authorities

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certificates and certification authorities

When a certificate is presented to an entity as a means of identifying the certificate holder (the subject of the certificate), it is useful only if the entity receiving the certificate trusts the issuer, which is often referred to as the certification authority (CA).

When you trust a certification authority, that means you have confidence that the certification authority has the proper policies in place when evaluating certificate requests and will deny certificates to any entity that does not meet those policies. In addition, you trust that the certification authority will revoke certificates that should no longer be considered valid by publishing an up-to-date certificate revocation list. Certificate revocation lists are considered valid until they expire. So even if the CA publishes a new certificate revocation list with newly revoked certificates listed, all clients that have an old certificate revocation list will not look for, nor retrieve the new one until the old one expires or is deleted. Clients can use the CA Web pages to manually retrieve the most current certificate revocation list if necessary.

For Windows Server 2003 users, computers, and services, trust in a certification authority is established when you have a copy of the root certificate in the trusted root certification authorities store, as well as having a valid certification path, meaning that none of the certificates in the certification path has been revoked or has had its validity period expire. The certification path includes every certificate issued to each CA in the certification hierarchy from a subordinate CA to the root CA. For example, for a root CA, the certification path is one certificate, its own self-signed certificate. For a subordinate CA, just below the root CA in the hierarchy, its certification path is two certificates: its own certificate and the root CA certificate.

Certification hierarchy

If your organization is using Active Directory, then trust in your organization's certification authorities will typically be established automatically, based on decisions and settings made by the system administrator.

A related concept with which you should be familiar is certificate store inheritance. If you place a root CA certificate into the computer's trusted root certification authorities store or enterprise trust store, then any user of the computer will see that certificate in their own user trusted root certification authorities store or enterprise trust store even though the root certificate is actually in the computer's store. Essentially, users will trust any CA that their computer trusts. Certificate store inheritance does not work the other way around: certificates in the user's trusted root certification authorities store and enterprise trust store are not inherited by the computer.

If your organization is using the version of Certificate Services installed with the Windows Server 2003 family to run its certification authority, the certification authority is one of two types: enterprise or stand-alone. The differences between the two standard types of Windows Server 2003 certification authorities for certificate users and requesters are summarized below.

Enterprise certification authority

An enterprise certification authority depends upon Active Directory being present.

You can use the Certificate Request Wizard (which is started from within the Certificates snap-in), as well as certification authority Web pages, to request certificates from an enterprise certification authority.

An enterprise certification authority offers different types of certificates to a requester based on the certificates it is configured to issue as well as the security permissions of the requester. An enterprise certification authority uses information available in Active Directory to help verify the requester's identity. An enterprise certification authority publishes its certificate revocation list to Active Directory as well as to a shared directory.

Stand-alone certification authority

A stand-alone certification authority is less automated for a user than an enterprise certification authority because it does not depend on the use of Active Directory.

By default, users can request certificates from a stand-alone certification authority only by using Web pages.

Stand-alone certification authorities that do not use Active Directory will generally have to request that the certificate requester provide more complete identifying information. A stand-alone certification authority makes its certificate revocation list available from a shared folder, or from Active Directory, if it is available.


  • For more information about the Certificate Services policy and exit modules, which determine whether a Windows Server 2003 certification authority is enterprise or stand-alone, see Policy and exit modules.

  • It is possible to customize a Windows Server 2003 certification authority with a policy module that is different from the one installed with the Windows Server 2003 operating system. In that case, the certification authority is technically neither a stand-alone nor an enterprise certification authority, but may have qualities of one or the other.

For more information, see Certification Authorities, Certificate Services overview, Requesting certificates, Using Windows 2000 Certificate Services Web pages, Certificate stores, and Certificates Resources