Hi Folks, I have a small domain and I think I know what I want to do, but it seems to be in conflict with the way Certificates work. I want to create a certificate for "TCLC" which is the name of the company. It should be an "Intermediate CA" -- I think. I want to use this to sign any other certificate I generate for use internally and have that certificate trusted by anybody/anything in the domain -- subject to the limitation of the certificate, of course. Then at some point in the future, as needed, I can get the Intermediate CA signed, and now my chain of trust will resolve to the signing authority, so the trust will extend beyond my domain to my clients and customers. It appears that all the certificate I generate (Windows Server 2008r2) are specific to a machine, and I can't create one for the company which is greater than any machine. Nor can I seem to create one for the domain, which constitutes a set of DCs, which are equivalent to each other, and should be able to speak for each other, and should be able to project a "joint" identity. So, is this how things work? If not, can you please explain where I am confused? If so, can you please explain how I create certificates that are "larger" than a server?Thanks for the help, Chris.

Hi Elytis, Thanks for the reference, but referring me to a manual is not helpful. I'm aware of manuals and I have read much about this topic, but I am still unclear on what to do, which is why I asked for clarification and assistance. The manuals explain all situations for all users and I have only one simple question which is certainly answered in the manual but that particular needle has been difficult to find in that manual haystack. I have established a Root CA as an Enterprise Certificate Authority. I need to "certify" my TS Remote Desktop Gateway, but I have no idea how to issue such a certificate nor what to do with is once I do. Then I think I need to install the trust anchor in the various clients that will be connecting to the Remote Desktop Server and I don't know how I accomplish that. On the upside, I will know when I have accomplished what I need because my Remote Desktop Gateway will suddenly stop complaining about expired or revoked certificates and start serving desktops. Thanks for the help, Chris.