Problem solve Get help with specific problems with your technologies, process and projects.

Enrolling in an Active Directory and Windows certificate authority

Learn more about the process of enrolling an enterprise in a certificate authority using Windows Server 2003 and Active Directory, as well as whether or not there is a universally accepted root CA.

Is it possible to enroll my entire organization in certificates using Windows Server 2003 and Active Directory? I would like the certificates to be from a well-known root CA recognized by all computers in order to implement electronic signatures on Microsoft Office documents that would be recognized/validated outside the company.
Yes and no. Yes, you can enroll your entire organization in an Active Directory and Windows certificate authority (this Microsoft TechNet article covers the major steps ).

Will all computers recognize even a well-known root CA? Unfortunately, the answer is no. Many software applications assume these root certificates are trustworthy on the user's behalf, but not all do. This "chain of trust" assumes that the end-organization's applications have validated and verified that the root CA you use is a trusted CA. Just like a driver's license may be valid in the U.S. but not necessarily recognized by other countries, there isn't a root CA that is a trusted CA for all applications. While using a root CA dramatically improves the chance of your certificates being trusted, there's not a 100% guarantee. (Expect help desk calls if electronic signatures are turned on by default , since the general public doesn't have access to every CA certificate. This can cause errors for many senders, as many of them may not be able to get to the specific CA being used to protect the content) It's always a best practice to discuss your secure communications schemes in advance with any outside organizations where you'll be using them.

This was last published in May 2010

Dig Deeper on Active Directory security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.