Re: Can MS Certificate Services create Subordinate CA Certificate?
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/03/05
- Next message: RQ: "Has anyone seen this "Alert"?"
- Previous message: Desmond Lee: "RE: win2k adv server keeps restarting by itself"
- In reply to: ohaya: "Can MS Certificate Services create Subordinate CA Certificate?"
- Next in thread: ohaya: "Re: Can MS Certificate Services create Subordinate CA Certificate?"
- Reply: ohaya: "Re: Can MS Certificate Services create Subordinate CA Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Mar 2005 05:48:40 -0800
It should be possible to make this work with Windows 2000, but it may be
easier with Windows Server 2003. Here is a whitepaper to help you:
Cross-certification and Qualified subordination whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. Top Whitepapers: Auto-enrollment whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Best Practices for implementing Windows Server 2003 PKI: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Troubleshooting Certificate Status and Revocation whitepaper: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx "ohaya" <ohaya@cox.net> wrote in message news:42254740.A45EFAC5@cox.net... > Hi, > > I have MS Certificate Services configured on a Windows 2000 Server > machine as a Standalone Certificate Server. > > I am testing a non-MS certificate server software on a separate machine, > but I want that CA to be subordinate to the CA on the MS Certificate > Server (which would be the ROOT CA). > > I created a certificate request on the non-MS certificate server and > submitted it to MS Certificate Server, and got a new CA certificate. > > But, it appears that the certificate that got created by MS Certificate > Services is not properly configured as a CA certificate. When I create > a certificate (either client or server) with the non-MS certificate > server, and look at the resulting certificate by clicking on it, I can > see the path from the certificate to the non-MS certificate server > certificate (with a yellow triangle) to the ROOT CA certificate. When I > click on the non-MS certificate server certificate in the chain, it says > "This certification authority does not appear to be allowed to issue > certificates or cannot be used as an end entity certificate". > > I ran "openssl x509" to look at the cert: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 61:08:d5:1b:00:00:00:00:00:04 > Signature Algorithm: sha1WithRSAEncryption > Issuer: emailAddress=foo@whatever.com, C=US, ST=VA, L=Wherever, > O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1 > Validity > Not Before: Mar 2 02:00:32 2005 GMT > Not After : Mar 2 02:10:32 2006 GMT > Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co, > CN=ATest1 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04: > 55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0: > e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14: > 0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a: > 1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17: > 2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73: > 4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4: > 71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76: > 06:12:4b:d9:e7:3a:69:37:e1 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > > 71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2:DB:A2:88:1B:03 > X509v3 Authority Key Identifier: > > keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70 > > DirName:/emailAddress=foo@whatever.com/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1 > serial:58:66:DE:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71 > > X509v3 CRL Distribution Points: > URI:http://dfi2/CertEnroll/ROOT1.crl > URI:file://\\dfi2\CertEnroll\ROOT1.crl > > Authority Information Access: > CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt > CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt > > Signature Algorithm: sha1WithRSAEncryption > 01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3: > ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7: > 66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3: > 98:9c:76:83:d2:03:bc:48:73:1b > > It seems like this certificate is mssing "Basic Constraint - CA" and > several "Key Usages" ("Certificate Sign" and "CRL Sign"). > > I was wondering if there is there any way to get MS Certificate Services > to create a proper subordinate CA certificate? > > Thanks, > Jim
- Next message: RQ: "Has anyone seen this "Alert"?"
- Previous message: Desmond Lee: "RE: win2k adv server keeps restarting by itself"
- In reply to: ohaya: "Can MS Certificate Services create Subordinate CA Certificate?"
- Next in thread: ohaya: "Re: Can MS Certificate Services create Subordinate CA Certificate?"
- Reply: ohaya: "Re: Can MS Certificate Services create Subordinate CA Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
