Can MS Certificate Services create Subordinate CA Certific..

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I have MS Certificate Services configured on a Windows 2000 Server
machine as a Standalone Certificate Server.

I am testing a non-MS certificate server software on a separate machine,
but I want that CA to be subordinate to the CA on the MS Certificate
Server (which would be the ROOT CA).

I created a certificate request on the non-MS certificate server and
submitted it to MS Certificate Server, and got a new CA certificate.

But, it appears that the certificate that got created by MS Certificate
Services is not properly configured as a CA certificate. When I create
a certificate (either client or server) with the non-MS certificate
server, and look at the resulting certificate by clicking on it, I can
see the path from the certificate to the non-MS certificate server
certificate (with a yellow triangle) to the ROOT CA certificate. When I
click on the non-MS certificate server certificate in the chain, it says
"This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end entity certificate".

I ran "openssl x509" to look at the cert:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d5:1b:00:00:00:00:00:04
Signature Algorithm: sha1WithRSAEncryption
Issuer: emailAddress=foo@whatever.com, C=US, ST=VA, L=Wherever,
O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1
Validity
Not Before: Mar 2 02:00:32 2005 GMT
Not After : Mar 2 02:10:32 2006 GMT
Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co,
CN=ATest1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04:
55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0:
e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14:
0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a:
1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17:
2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73:
4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4:
71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76:
06:12:4b:d9:e7:3a:69:37:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:

71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2:DB:A2:88:1B:03
X509v3 Authority Key Identifier:

keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70

DirName:/emailAddress=foo@whatever.com/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1
serial:58:66:DE:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71

X509v3 CRL Distribution Points:
URI:http://dfi2/CertEnroll/ROOT1.crl
URI:file://\\dfi2\CertEnroll\ROOT1.crl

Authority Information Access:
CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt
CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt

Signature Algorithm: sha1WithRSAEncryption
01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3:
ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7:
66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3:
98:9c:76:83:d2:03:bc:48:73:1b

It seems like this certificate is mssing "Basic Constraint - CA" and
several "Key Usages" ("Certificate Sign" and "CRL Sign").

I was wondering if there is there any way to get MS Certificate Services
to create a proper subordinate CA certificate?

Thanks,
Jim
2 answers Last reply
More about certificate services create subordinate certific
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    It should be possible to make this work with Windows 2000, but it may be
    easier with Windows Server 2003. Here is a whitepaper to help you:


    Cross-certification and Qualified subordination whitepaper:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx


    --
    David B. Cross [MS]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.


    Top Whitepapers:

    Auto-enrollment whitepaper:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

    Best Practices for implementing Windows Server 2003 PKI:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

    Troubleshooting Certificate Status and Revocation whitepaper:
    http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

    Windows Server 2003 web enrollment and troubleshooting guide:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
    "ohaya" <ohaya@cox.net> wrote in message news:42254740.A45EFAC5@cox.net...
    > Hi,
    >
    > I have MS Certificate Services configured on a Windows 2000 Server
    > machine as a Standalone Certificate Server.
    >
    > I am testing a non-MS certificate server software on a separate machine,
    > but I want that CA to be subordinate to the CA on the MS Certificate
    > Server (which would be the ROOT CA).
    >
    > I created a certificate request on the non-MS certificate server and
    > submitted it to MS Certificate Server, and got a new CA certificate.
    >
    > But, it appears that the certificate that got created by MS Certificate
    > Services is not properly configured as a CA certificate. When I create
    > a certificate (either client or server) with the non-MS certificate
    > server, and look at the resulting certificate by clicking on it, I can
    > see the path from the certificate to the non-MS certificate server
    > certificate (with a yellow triangle) to the ROOT CA certificate. When I
    > click on the non-MS certificate server certificate in the chain, it says
    > "This certification authority does not appear to be allowed to issue
    > certificates or cannot be used as an end entity certificate".
    >
    > I ran "openssl x509" to look at the cert:
    >
    > Certificate:
    > Data:
    > Version: 3 (0x2)
    > Serial Number:
    > 61:08:d5:1b:00:00:00:00:00:04
    > Signature Algorithm: sha1WithRSAEncryption
    > Issuer: emailAddress=foo@whatever.com, C=US, ST=VA, L=Wherever,
    > O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1
    > Validity
    > Not Before: Mar 2 02:00:32 2005 GMT
    > Not After : Mar 2 02:10:32 2006 GMT
    > Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co,
    > CN=ATest1
    > Subject Public Key Info:
    > Public Key Algorithm: rsaEncryption
    > RSA Public Key: (1024 bit)
    > Modulus (1024 bit):
    > 00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04:
    > 55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0:
    > e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14:
    > 0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a:
    > 1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17:
    > 2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73:
    > 4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4:
    > 71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76:
    > 06:12:4b:d9:e7:3a:69:37:e1
    > Exponent: 65537 (0x10001)
    > X509v3 extensions:
    > X509v3 Subject Key Identifier:
    >
    > 71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2:DB:A2:88:1B:03
    > X509v3 Authority Key Identifier:
    >
    > keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70
    >
    > DirName:/emailAddress=foo@whatever.com/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1
    > serial:58:66:DE:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71
    >
    > X509v3 CRL Distribution Points:
    > URI:http://dfi2/CertEnroll/ROOT1.crl
    > URI:file://\\dfi2\CertEnroll\ROOT1.crl
    >
    > Authority Information Access:
    > CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt
    > CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt
    >
    > Signature Algorithm: sha1WithRSAEncryption
    > 01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3:
    > ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7:
    > 66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3:
    > 98:9c:76:83:d2:03:bc:48:73:1b
    >
    > It seems like this certificate is mssing "Basic Constraint - CA" and
    > several "Key Usages" ("Certificate Sign" and "CRL Sign").
    >
    > I was wondering if there is there any way to get MS Certificate Services
    > to create a proper subordinate CA certificate?
    >
    > Thanks,
    > Jim
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    David,

    Thanks for the link. It'll take a bit of juggling on my part, but we
    have some W2K3 systems around that I can use for this.

    It looks like I have a bit of reading to do :), but I did a quick scan
    of that article, and I think it has the info I need. From what I can
    tell, it appears that the main problem with the "vanilla" Cert services
    configuration is that the re-signed subordinate CA cert didn't have the
    "BasicConstraints", I think, which is probably understandable from a
    security standpoint.

    Jim


    "David Cross [MS]" wrote:
    >
    > It should be possible to make this work with Windows 2000, but it may be
    > easier with Windows Server 2003. Here is a whitepaper to help you:
    >
    > Cross-certification and Qualified subordination whitepaper:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03qswp.mspx
    >
    > --
    > David B. Cross [MS]
    > --
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
Ask a new question

Read More

Certificate Servers Windows