A root certification authority (CA) is the most trusted certification authority, which is at the top of a public key infrastructure (PKI) certification hierarchy. For native mode communication to be successful in a Configuration Manager 2007 site, the PKI certificates that are used for authentication, encryption, and signing must be issued by a root certification authority that is trusted by the other computers and devices in the site.

Each computer and device that communicates using certificates must have a root certificate in common. If all the computers in your Configuration Manager 2007 hierarchy use certificates from the same certification authority, you need to deploy only a single trusted root certification authority. However, there is no requirement to use the same certification authority, so you might have to install multiple root CAs.

Microsoft Windows computers and some devices are automatically configured with some well-known third-party root certificates. However, if you are using your own PKI, you need to install the root certificate. There are various ways to achieve this, including the following methods:

If you are using the operating system deployment feature, root CAs must be specified in Configuration Manager 2007 as a site property. For more information, see How to Specify the Root Certification Authority Certificates for Operating System Deployment Clients.

See Also