Establishing a Root CA

Creating a Root CA

A root CA is created by configuring the software to generate a public and private key pair (see my article in Security for more background information). The server then creates a self signing certificate, in which the server vouches for its own identity. This is a very important concept as it represents the implied trust we place in the Root CA. Without any external identity certifying the identity of the Root CA, we must simply take the Root CA’s word that it is the root. Trust in a Root CA is indicated on Windows by placing a copy of the Root CA’s certificate in the trusted root certification authorities store on the local computer. You can view the content of this store by using the property pages of Internet Explorer.

As you can see, Windows includes many baked in roots. These are the certificates of CAs that Microsoft has decided you may trust. You can modify this list by either deleting the certificates of CAs you prefer not to trust, importing the certificates of CAs you do trust, or by using a Certificate Trust List (CTL) in group policy to configure the list of trusted CAs for all computers affected by the policy.