Establishing a Root CA

Creating a CA

Creating a new CA is a very involved task. The technical steps are fairly easy, as most CA software packages are very simple. The difficult part is planning the implementation. Planning a CA is beyond the scope of this article.

Windows Server 2003 includes Microsoft Certificate Services, which is a collection of software packages that allow you to install, configure and manage a CA. From a high level, Certificate Services can be configured two ways, as an enterprise or stand-alone CA. The difference is the issuance policies that are used. Enterprise CAs rely primarily on software issuance policies. If you have a valid Active Directory user account with the appropriate permissions, you will automatically be granted a certificate if you request one. A stand-alone CA requires that an administrator, often called a certificate manager, review each request and manually approve or deny it. In either case, the configuration is simple, but irreversible. You select type of CA during installation of certificate services and it cannot be changed without uninstalling and reinstalling certificate services. You must also choose the type of CA that you will be installing. The type will be a root CA or a subordinate CA.