Hi,

I have MS Certificate Services configured on a Windows 2000 Server
machine as a Standalone Certificate Server.

I am testing a non-MS certificate server software on a separate machine,
but I want that CA to be subordinate to the CA on the MS Certificate
Server (which would be the ROOT CA).

I created a certificate request on the non-MS certificate server and
submitted it to MS Certificate Server, and got a new CA certificate.

But, it appears that the certificate that got created by MS Certificate
Services is not properly configured as a CA certificate. When I create
a certificate (either client or server) with the non-MS certificate
server, and look at the resulting certificate by clicking on it, I can
see the path from the certificate to the non-MS certificate server
certificate (with a yellow triangle) to the ROOT CA certificate. When I
click on the non-MS certificate server certificate in the chain, it says
"This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end entity certificate".

I ran "openssl x509" to look at the cert:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d5:1b:00:00:00:00:00:04
Signature Algorithm: sha1WithRSAEncryption
Issuer: emailAddress=(E-Mail Removed), C=US, ST=VA, L=Wherever,
O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1
Validity
Not Before: Mar 2 02:00:32 2005 GMT
Not After : Mar 2 02:10:32 2006 GMT
Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co,
CN=ATest1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04:
55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0:
e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14:
0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a:
1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17:
2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73:
4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4:
71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76:
06:12:4b:d9:e7:3a:69:37:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:

71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2B:A2:88:1B:03
X509v3 Authority Key Identifier:

keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70

DirName:/emailAddress=(E-Mail Removed)/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1
serial:58:66E:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71

X509v3 CRL Distribution Points:
URI:http://dfi2/CertEnroll/ROOT1.crl
URI:file://\\dfi2\CertEnroll\ROOT1.crl

Authority Information Access:
CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt
CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt

Signature Algorithm: sha1WithRSAEncryption
01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3:
ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7:
66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3:
98:9c:76:83:d2:03:bc:48:73:1b

It seems like this certificate is mssing "Basic Constraint - CA" and
several "Key Usages" ("Certificate Sign" and "CRL Sign").

I was wondering if there is there any way to get MS Certificate Services
to create a proper subordinate CA certificate?

Thanks,
Jim

It should be possible to make this work with Windows 2000, but it may be
easier with Windows Server 2003. Here is a whitepaper to help you:


Cross-certification and Qualified subordination whitepaper:
http://www.microsoft.com/technet/pro.../ws03qswp.mspx



--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/pro.../autoenro.mspx

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/pro.../ws3pkibp.mspx

Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/sec...o/tshtcrl.mspx

Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/pro...webenroll.mspx
"ohaya" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Hi,
>
> I have MS Certificate Services configured on a Windows 2000 Server
> machine as a Standalone Certificate Server.
>
> I am testing a non-MS certificate server software on a separate machine,
> but I want that CA to be subordinate to the CA on the MS Certificate
> Server (which would be the ROOT CA).
>
> I created a certificate request on the non-MS certificate server and
> submitted it to MS Certificate Server, and got a new CA certificate.
>
> But, it appears that the certificate that got created by MS Certificate
> Services is not properly configured as a CA certificate. When I create
> a certificate (either client or server) with the non-MS certificate
> server, and look at the resulting certificate by clicking on it, I can
> see the path from the certificate to the non-MS certificate server
> certificate (with a yellow triangle) to the ROOT CA certificate. When I
> click on the non-MS certificate server certificate in the chain, it says
> "This certification authority does not appear to be allowed to issue
> certificates or cannot be used as an end entity certificate".
>
> I ran "openssl x509" to look at the cert:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 61:08:d5:1b:00:00:00:00:00:04
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: emailAddress=(E-Mail Removed), C=US, ST=VA, L=Wherever,
> O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1
> Validity
> Not Before: Mar 2 02:00:32 2005 GMT
> Not After : Mar 2 02:10:32 2006 GMT
> Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co,
> CN=ATest1
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04:
> 55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0:
> e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14:
> 0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a:
> 1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17:
> 2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73:
> 4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4:
> 71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76:
> 06:12:4b:d9:e7:3a:69:37:e1
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
>
> 71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2B:A2:88:1B:03
> X509v3 Authority Key Identifier:
>
> keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70
>
> DirName:/emailAddress=(E-Mail Removed)/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1
> serial:58:66E:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71
>
> X509v3 CRL Distribution Points:
> URI:http://dfi2/CertEnroll/ROOT1.crl
> URI:file://\\dfi2\CertEnroll\ROOT1.crl
>
> Authority Information Access:
> CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt
> CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt
>
> Signature Algorithm: sha1WithRSAEncryption
> 01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3:
> ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7:
> 66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3:
> 98:9c:76:83:d2:03:bc:48:73:1b
>
> It seems like this certificate is mssing "Basic Constraint - CA" and
> several "Key Usages" ("Certificate Sign" and "CRL Sign").
>
> I was wondering if there is there any way to get MS Certificate Services
> to create a proper subordinate CA certificate?
>
> Thanks,
> Jim

David,

Thanks for the link. It'll take a bit of juggling on my part, but we
have some W2K3 systems around that I can use for this.

It looks like I have a bit of reading to do , but I did a quick scan
of that article, and I think it has the info I need. From what I can
tell, it appears that the main problem with the "vanilla" Cert services
configuration is that the re-signed subordinate CA cert didn't have the
"BasicConstraints", I think, which is probably understandable from a
security standpoint.

Jim



"David Cross [MS]" wrote:
>
> It should be possible to make this work with Windows 2000, but it may be
> easier with Windows Server 2003. Here is a whitepaper to help you:
>
> Cross-certification and Qualified subordination whitepaper:
> http://www.microsoft.com/technet/pro.../ws03qswp.mspx
>
> --
> David B. Cross [MS]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>