Windows 2000 Certification Authorities

Windows 2000 Server and Certificate Services support two types of CAs: enterprise CAs and stand-alone CAs. A root CA or a subordinate CA can be installed as either an enterprise CA or a stand-alone CA.

Enterprise Certification Authorities

Enterprise CAs are integrated with Active Directory. Enterprise CAs publish certificates and CRLs to Active Directory. Enterprise CAs use certificate template information, user account information, and security group information that are stored in Active Directory to approve or deny certificate requests. For a certificate request to be approved, the requestor must have Enroll permissions granted by the security ACLs of the certificate template for the certificate type that was requested. When a certificate is issued, the enterprise CA uses information in the certificate template to generate a certificate with the appropriate attributes for that certificate type.

It is recommended that you install most issuing CAs as enterprise CAs to gain the benefits of integration with Active Directory, including automated certificate approval and automatic computer certificate enrollment. Furthermore, only enterprise CAs can issue certificates for logging on with smart cards because this process requires that smart card certificates be mapped automatically to the user accounts in Active Directory and because it uses certificate templates.

Stand-alone Certification Authorities

Stand-alone CAs do not require Active Directory and do not use certificate templates. For stand-alone CAs, all information about the requested certificate type must be included in the certificate request. The Web Enrollment Support pages that are installed for stand-alone CAs, support requests for a variety of certificate types.

By default, all certificate requests submitted to stand-alone CAs are held in the Pending Queue until the CA administrator approves them. You can configure stand-alone CAs to issue certificates automatically upon request, but this adds a significant security risk and usually is not recommended.

If you want to automate certificate requests for stand-alone CAs, consider developing custom policy modules that securely approve or deny certificate requests. For example, you might develop a custom policy module that automatically grants certificates to authenticated requestors based on security information about the requestor that is contained in a legacy database or a third-party directory service. Stand-alone CAs cannot issue certificates for the smart card logon process, but they can issue other types of certificates for smart cards. For example, you can use the Web Enrollment Support pages for a stand-alone CA to issue secure mail and secure Web browser certificates to requestor's smart cards.

By default, stand-alone CAs publish CRLs to the following location:

< Drive: >\WINNT\System32\Certsrv\Certenroll

where < Drive: >\ is the letter of the disk drive where the CA is installed.

The use of stand-alone CAs for high-volume issuing usually incurs a high administrative cost because administrators must manually review and approve or deny each certificate request. Therefore, stand-alone issuing CAs are intended primarily for use with public key security applications on extranets and the Internet, when users do not have Windows 2000 accounts and the volume of certificates to be issued and managed is relatively low.

You must, however, install stand-alone CAs to issue certificates when you are using a third-party directory service or when Active Directory is not available. Furthermore, stand-alone CAs can provide more flexibility for planning and managing the certificate life cycle by using root CA and intermediate CAs.