|
|
In
Windows 2000 Certificate Authority Planning, CAs are organized into
a hierarchy.
At first, a CA hierarchy is defined by one single root point, with
children of that root. As your CA organization grows, then more CAs
can be added in a parent-child relationship.
Verification of certificates thus requires trust in only a small number
of root CAs. At the same time, it provides flexibility in the number
of certificate-issuing subordinate CAs. There are several practical
reasons for supporting multiple subordinate CAs, including:
- Usage. Certificates may be issued for a number of purposes,
such as secure e-mail and network authentication. The issuing
policy for these uses may be distinct, and separation provides
a basis for administering these polices.
- Organizational divisions. There may be different policies for
issuing certificates, depending upon an entity's role in the organization.
Again, you can create subordinate CAs to separate and administer
these policies.
- Geographic divisions. Organizations may have entities at multiple
physical sites. Network connectivity between these sites may dictate
a requirement for multiple subordinate CAs to meet usability requirements3
Subordinates are trusted because the root node is trusted.
You can have more then one Enterprise CA in an active directory domain.
As well as you can mix standalone CAs with enterprise ones.
Back to Types
Forward to Installation.
|
|