Objective 4.4: Install, Manage, and Configure Certificate Services

Certificate Services form the basis of a public key infrastructure. A computer running Windows Server 2003 that has certificate services installed is known as a certification authority (CA). Windows Server 2003 supports four types of CAs. Enterprise root CAs are the first CAs installed in a forest. They can issue certificates directly, though it is a better practice to allow the second type of CA—the enterprise subordinate CA—to issue certificates in the root’s place. Enterprise CAs are heavily integrated with Active Directory and cannot be installed on standalone computers running Windows Server 2003 that are not members of the domain. The other two types of CA are the standalone root and the standalone subordinate CAs. These CAs can exist independently of Active Directory. If they are installed in an Active Directory environment, they can make use of Active Directory; however, they will not be able to automatically issue certificates to Active Directory users in the way that an enterprise root CA can. Because CAs play such a fundamental role in the public key infrastructure (PKI) infrastructure, they must be backed up periodically. If a root CA is lost and no backup exists, all certificates that it has issued, in addition to those issued by subordinate CAs, will become invalid.