Sorry if this is too much of a newbie question, I am just starting to learn
about certificate services & PKI.....

We are a relatively small company (<100), but we wish to implement a public
key infrastructure using our Server 2003/SP1 servers (all our clients are
XP/SP2). We want to have digital signing for files, emails, etc and will
also be implementing smartcard login.

>From my certificate services reading, it seems that we want to have a
enterprise level certification authority. So that means we need a root CA
and 1 or more subordinate CAs. Also from my reading it seems that securing
the root CA is extremely important, and it is recommended that we have the
root CA offline and locked up.

Being a small company, the cost to do this seems a bit excessive.

Would it be possible to have one of the existing well known CAs (verisign or
thawte or ...) be our root CA? ie, can we have them sign our subordinate
CA's certificate? That would satisfy the "secure/locked up" requirement,

I have visited both Verisign & Thawte's sites, and couldnt find anything
about this.

Is this possible? what kind of cost am I looking at to do this?

Thanks for any info,



Relevant Pages

  • Certificate Services fails to start
    ... I have a Windows 2000 Standalone Root CA running Certificate Services. ... Key storage is in an nCipher nShield F2 HSM using the nCipher enahnced CSP. ...
  • Re: SSL Certs
    ... > 1) So as part of the wizard, if I request a cert from Verisign or some ... Install Windows 2000 Certificate Services, and you can then act as ... you'd like--at no cost. ...
  • CA Root Certificate storage location
    ... I have accidently "killed" our Enterprise Root CA running on Windows ... So I have the "old" registry, Certificate Services ... Database etc. Unfortunatly I don't made a backup with "certutil -backup" ... ... Is there any way to recover the old Root cert from the NTBackup? ...
  • Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... about certificate services & PKI..... ... So that means we need a root CA ... the cost to do this seems a bit excessive. ... I have visited both Verisign & Thawte's sites, ...
  • Re: DCOM error with NTBACKUP and Certificate Services
    ... configuration to allow for an online enterprise root CA - ... To backup the CA, Certificate Services ...