A root certification authority (CA) is the most trusted certification authority, which is at the top of a public key infrastructure (PKI) certification hierarchy. For native mode communication to be successful in a Configuration Manager 2007 site, the PKI certificates that are used for authentication, encryption, and signing must be issued by a root certification authority that is trusted by the other computers and devices in the site.
Each computer and device that communicates using certificates must have a root certificate in common. If all the computers in your Configuration Manager 2007 hierarchy use certificates from the same certification authority, you need to deploy only a single trusted root certification authority. However, there is no requirement to use the same certification authority, so you might have to install multiple root CAs.
Microsoft Windows computers and some devices are automatically configured with some well-known third-party root certificates. However, if you are using your own PKI, you need to install the root certificate. There are various ways to achieve this, including the following methods:
- If you are using a Microsoft Enterprise root
certification authority, the root certificate is automatically
installed on computers in the forest, using Active Directory Domain
Services.
- If you are not using a Microsoft Enterprise
root certification authority but want all computers in the forest
to automatically trust the root certification authority, you can
publish the root certificate in the Enterprise Trust Store, using
Group Policy or the Certutil command.
- If you not using a Microsoft Enterprise root
certification authority and want only groups of computers in the
forest to automatically trust the root certification authority, you
can publish the root certificate to domains or organizational units
(OUs) using Group Policy. Only computers that have the Group Policy
applied will automatically trust the root certification authority.
Add the root certificate to the Group Policy object Trusted Root
Certification Authorities under the Public Key Policies folder for
the Computer Configuration container.
- If you are using Microsoft Certificate
Services with Internet Information Services (IIS), you can request
and install the root certificate with the Web enrollment
service.
- You can request and retrieve the certificate
using the Microsoft Certreq command-line utility.
- You can export the certificate to a file and
import it if exporting the public key is enabled within the
certificate.
If you are using the operating system deployment feature, root CAs must be specified in Configuration Manager 2007 as a site property. For more information, see How to Specify the Root Certification Authority Certificates for Operating System Deployment Clients.