You can create your organization's Certificate Authority (CA) using Microsoft's Windows Server 2003 Certificate Services. Windows 2003 Certificate Services offers four types of CAs: Enterprise Root CA, Enterprise Subordinate CA, Standalone Root CA, and Standalone Subordinate CA.
Enterprise Root CAs
The Enterprise Root CA is at the top level of the certificate authority hierarchy. Once Enterprise Root CA is configured, it registers automatically within Active Directory and all computers within the domain trust it.
The Enterprise Root CA is usually responsible for issuing certificates to subordinate CAs, which then issue the certificates to users and computers on the network. However the Enterprise Root CA can also issue certificates to users and computers, if required. Following are the features of Enterprise CAs.
• Auto enrollment feature is available.
• Only a member of Enterprise Admins group can configure Enterprise CA.
• An enterprise CA requires the Active Directory service.
• An enterprise CA requires the DNS service.
If you require smart cards for your employees, you should use Enterprise CAs.
Enterprise Subordinate CAs
The Enterprise Subordinate CAs are placed under the Enterprise Root CA in the certificate hierarchy. Enterprise Subordinate CAs normally used for issuing certificates to a particular part of an organization or for issuing certificates of a specific type. Enterprise Subordinate CA should be certified by the Enterprise Root CA (may be an enterprise root CA on the local network or a third-party CA).
Standalone Root CAs
Stand-alone CAs do not use Active Directory. If Active Directory is not available in your network, you can configure Standalone Root CAs. If you want to issue certificates to outside entities, a Standalone CA should be implemented.
• Auto enrollment feature is not available. All requests for certificates are pending until an administrator approves them.
• Local administrators can configure standalone CAs
• Standalone CAs can be used with extranets.
• No certificate templates are used.
• Standalone CA certificates cannot be used for smart cards.
Standalone Subordinate CAs
The function of Standalone Subordinate CA is similar to an Enterprise Subordinate CA and Standalone Subordinate CAs are placed under a Root CA in the certificate hierarchy. You require a Root CA to configure a Standalone Subordinate CA. Standalone Subordinate CA should be certified by the Root CA (Root CA on the local network or a third-party CA).