Integrate with Third-Party Certificate Services (Optional)

The Windows 2000 public key infrastructure is interoperable with various third-party certificate services that comply with the standards recommended by the Public Key Infrastructure X.509 (PKIX) working group of the Internet Engineering Task Force (IETF). However, interoperability between commercially available PKIX-compliant products is not guaranteed because the technology is still in an early stage of development. For more information about interoperability, see "Choosing Security Solutions That Use Public Key Technology" in this book.

In general, Windows 2000 Certificate Services provides many benefits that third-party CAs do not because Certificate Services are fully integrated with the Windows 2000 public key infrastructure and Active Directory. However, you can use third-party certificate services with Windows 2000 to deploy CAs and issue certificates for your organizations.

To work properly with Windows 2000 public key infrastructure, third-party CAs must support industry standard X.509 version 3 certificates and X.509 version 2 certificate revocation lists. X.509-compliant certificates from third-party CAs can be used for most public key–based Windows 2000 security solutions. However, third-party CAs can't be used for features that require enterprise CA integration with Active Directory. For example, third-party CAs can't be used to issue Smart Card Logon certificates or Smart Card User certificates for Windows 2000 domains or to autoenroll certificates for computers.

You can use compliant third-party CAs to form all or part of your certification trust chains. Third-party root CAs are not added automatically to Trusted Root Certification Authorities stores. You can configure Public Key Group Policies to add third-party root CAs to Trusted Root Certification Authorities stores and to create CTLs that trust third-party CAs.

To ensure that third-party certificate services work as intended with the Windows 2000 public key infrastructure, test third-party solutions thoroughly in labs and pilot programs. For more information about the capabilities of specific third-party solutions, contact the appropriate third-party vendors.