Ask the Expert

Enrolling in an Active Directory and Windows certificate authority

Is it possible to enroll my entire organization in certificates using Windows Server 2003 and Active Directory? I would like the certificates to be from a well-known root CA recognized by all computers in order to implement electronic signatures on Microsoft Office documents that would be recognized/validated outside the company.

    Requires Free Membership to View

Yes and no. Yes, you can enroll your entire organization in an Active Directory and Windows certificate authority (this Microsoft TechNet article covers the major steps ).

Will all computers recognize even a well-known root CA? Unfortunately, the answer is no. Many software applications assume these root certificates are trustworthy on the user's behalf, but not all do. This "chain of trust" assumes that the end-organization's applications have validated and verified that the root CA you use is a trusted CA. Just like a driver's license may be valid in the U.S. but not necessarily recognized by other countries, there isn't a root CA that is a trusted CA for all applications. While using a root CA dramatically improves the chance of your certificates being trusted, there's not a 100% guarantee. (Expect help desk calls if electronic signatures are turned on by default , since the general public doesn't have access to every CA certificate. This can cause errors for many senders, as many of them may not be able to get to the specific CA being used to protect the content) It's always a best practice to discuss your secure communications schemes in advance with any outside organizations where you'll be using them.

This was first published in May 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: