Policies to establish trust of root certification authorities

When a client presents a certificate to a host, the host has to trust the certificate of the root certification authority (CA) in the certification path to accept the certificate as a valid credential. You might want to establish trust automatically in specific root CAs for groups of users or computers.

You can use Public Key Policies in Group Policy to establish common trusted root CAs for the users and computers that are associated with a Group Policy object When you apply the Group Policy object to a site, domain, or organizational unit, the policy is inherited by the corresponding computers. These computers then trust the root CAs whose certificates you have imported into the trusted root certification authority policy.

You have the option of designating trusted CAs by using either the trusted root certification authority policy or the enterprise trust policy. Use the following guidelines in determining which policy to use:

If your organization has its own Windows 2000 root CAs and uses Active Directory, you do not need to use the Group Policy mechanism to distribute the root certificates.

If your organization has its own root CAs that are installed on servers that are not running Windows 2000, use the trusted root certification authority policy to distribute your organization's root certificates. For more information, see Trusted root certification authority policy 

If your organization does not have its own CAs, use the enterprise trust policy to create certificate trust lists (CTL) to establish your organization's trust of external root CAs.

For more information, see:

Enterprise trust policy 

Public Key Policies overview 

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies