NoteWhen a certificate is presented to an entity as a means of identifying the certificate holder (the subject of the certificate), it is useful only if the entity being presented the certificate trusts the issuer, which is often referred to as the certification authority
When you trust a certification authority, that means you have confidence that the certification authority has the proper policies in place when evaluating certificate requests and will deny certificates to any entity that does not meet those policies. In addition, you trust that the certification authority will revoke certificates that should no longer be considered valid by publishing an up-to-date certificate revocation list Certificate revocation lists are considered valid until they expire. So even if the CA publishes a new certificate revocation list with newly revoked certificates listed, all clients that have an old certificate revocation list will not look for, nor retrieve the new one until the old one expires or is deleted. Clients can use the CA Web pages to manually retrieve the most current certificate revocation list if necessary.
For Windows 2000 users, computers, and services, trust in a certification authority is established when you have a copy of the root certificate in the trusted root certification authorities store, as well as having a valid certification path, meaning that none of the certificates in the certification path has been revoked or has had its validity period expire. The certification path includes every certificate issued to each CA in the certification hierarchy from a subordinate CA to the root CA. For example, for a root CA, the certification path is one certificate, its own self-signed certificate. For a subordinate CA, just below the root CA in the hierarchy, it's certification path is 2 certificates, its own certificate and the root CA certificate.
If your organization is using Active Directory, then trust in your organization's certification authorities will typically be established automatically, based on decisions and settings made by the system administrator.
A related concept with which you should be familiar is certificate store inheritence. If you place a root CA certificate into the computer's trusted root certification authorities store or enterprise trust store, then any user of the computer will see that certificate in their own user trusted root certification authorities store or enterprise trust store even though the root certificate is actually in the computer's store. Essentially, users will trust any CA that their computer trusts. Certificate store inheritance does not work the other way around: certificates in the user's trusted root certification authorities store and enterprise trust store are not inherited by the computer.
If your organization is using the version of Certificate Services in Windows 2000 Server to run its certification authority, then the certification authority is one of two types: enterprise or stand-alone. The differences between the two standard types of Windows 2000 certification authorities for certificate users and requesters are summarized below.
An enterprise certification authority depends upon Active Directory being present.
You can use the Certificate Request wizard (which is started from within the Certificates snap-in), as well as certification authority Web pages, to request certificates from an enterprise certification authority.
An enterprise certification authority offers different types of certificates to a requester based on the certificates it is configured to issue as well as the security permissions of the requester. An enterprise certification authority uses information available in Active Directory to help verify the requester's identity. An enterprise certification authority publishes its certificate revocation list to Active Directory as well as to a shared directory.
A stand-alone certification authority is less automated for a user than an enterprise certification authority because it does not depend on the use of Active Directory.
By default, users can request certificates from a stand-alone certification authority only by using Web pages.
Stand-alone certification authorities that do not use Active Directory will generally have to request that the certificate requester provide more complete identifying information. A stand-alone certification authority makes its certificate revocation list available from a shared folder, or from Active Directory if it is available.
Note