Hi, We are planning to implement internal certification authority in our organization. It will be great if someone explains me what POLICY CAs really do in CA hierarchy?

For details about Certificates,the Security forum is the better place: http://social.technet.microsoft.com/Forums/en/winserversecurity/threads Hope this helpsBest Regards, Sandesh Dubey. MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi, We are planning to implement internal certification authority in our organization. It will be great if someone explains me what POLICY CAs really do in CA hierarchy?

Hello, please see http://technet.microsoft.com/en-us/library/cc756989(WS.10).aspx especially: "Enterprise and stand-alone CAs can be configured as either Root CAs or Subordinate CAs. Subordinate CAs can further be configured as either Intermediate CAs (also referred to as a policy CA) or Issuing CAs."Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, A policy CA is typically located on the second-tier of a CA hierarchy, directly beneath the root CA. In this scenario, the root CA is often referred to as a parent CA, because the root CA issued a Subordinate Certification Authority certificate to the policy CA. In fact, any CA that issues a certificate to another CA is referred to as a parent CA. The CA that receives the certificate from a parent CA is known as a subordinate CA. The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI, the processes that validate the identity of certificate holders, and the processes that enforce the procedures that manage certificates. A policy CA issues certificates only to other CAs. The CAs that receive these certificates must uphold and enforce the policies that the policy CA defined. It is not mandatory to use policy CAs unless different divisions, sectors, or locations of your organization require different issuance policies and procedures. However, if your organization requires different issuance policies and procedures, you must add policy CAs to the hierarchy to define each unique policy. For example, an organization can implement one policy CA for all certificates that it issues internally to employees and another policy CA for all certificates that it issues to non-employees. Resource: http://technet.microsoft.com/en-us/library/cc779826%28v=ws.10%29.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, An intermediate CA is often referred to as a policy CA because it is typically used to separate classes of certificates that can be distinguished by policy. For example, policy separation includes the level of assurance that a CA provides or the geographical location of the CA to distinguish different end-entity populations. A policy CA can be online or offline. Note Most organizations use one root CA and two policy CAs one to support internal users, the second to support external users. More: Deployment of the new Federal Common Policy CA Root Certificate http://blogs.technet.com/b/pki/archive/2011/03/13/deployment-of-the-new-federal-common-policy-ca-root-certificate.aspx Regards, Yan Li Yan Li TechNet Community Support

Hi, An intermediate CA is often referred to as a policy CA because it is typically used to separate classes of certificates that can be distinguished by policy. For example, policy separation includes the level of assurance that a CA provides or the geographical location of the CA to distinguish different end-entity populations. A policy CA can be online or offline. Note Most organizations use one root CA and two policy CAs one to support internal users, the second to support external users. More: Deployment of the new Federal Common Policy CA Root Certificate http://blogs.technet.com/b/pki/archive/2011/03/13/deployment-of-the-new-federal-common-policy-ca-root-certificate.aspx Regards, Yan Li Yan Li TechNet Community Support