O
ohaya
Hi,
I have MS Certificate Services configured on a Windows 2000 Server
machine as a Standalone Certificate Server.
I am testing a non-MS certificate server software on a separate machine,
but I want that CA to be subordinate to the CA on the MS Certificate
Server (which would be the ROOT CA).
I created a certificate request on the non-MS certificate server and
submitted it to MS Certificate Server, and got a new CA certificate.
But, it appears that the certificate that got created by MS Certificate
Services is not properly configured as a CA certificate. When I create
a certificate (either client or server) with the non-MS certificate
server, and look at the resulting certificate by clicking on it, I can
see the path from the certificate to the non-MS certificate server
certificate (with a yellow triangle) to the ROOT CA certificate. When I
click on the non-MS certificate server certificate in the chain, it says
"This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end entity certificate".
I ran "openssl x509" to look at the cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d5:1b:00:00:00:00:00:04
Signature Algorithm: sha1WithRSAEncryption
Issuer: [email protected], C=US, ST=VA, L=Wherever,
O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1
Validity
Not Before: Mar 2 02:00:32 2005 GMT
Not After : Mar 2 02:10:32 2006 GMT
Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co,
CN=ATest1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04:
55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0:
e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14:
0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a:
1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17:
2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73:
4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4:
71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76:
06:12:4b:d9:e7:3a:69:37:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2
B:A2:88:1B:03
X509v3 Authority Key Identifier:
keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70
DirName:/[email protected]/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1
serial:58:66E:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71
X509v3 CRL Distribution Points:
URI:http://dfi2/CertEnroll/ROOT1.crl
URI:file://\\dfi2\CertEnroll\ROOT1.crl
Authority Information Access:
CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt
CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt
Signature Algorithm: sha1WithRSAEncryption
01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3:
ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7:
66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3:
98:9c:76:83:d2:03:bc:48:73:1b
It seems like this certificate is mssing "Basic Constraint - CA" and
several "Key Usages" ("Certificate Sign" and "CRL Sign").
I was wondering if there is there any way to get MS Certificate Services
to create a proper subordinate CA certificate?
Thanks,
Jim
I have MS Certificate Services configured on a Windows 2000 Server
machine as a Standalone Certificate Server.
I am testing a non-MS certificate server software on a separate machine,
but I want that CA to be subordinate to the CA on the MS Certificate
Server (which would be the ROOT CA).
I created a certificate request on the non-MS certificate server and
submitted it to MS Certificate Server, and got a new CA certificate.
But, it appears that the certificate that got created by MS Certificate
Services is not properly configured as a CA certificate. When I create
a certificate (either client or server) with the non-MS certificate
server, and look at the resulting certificate by clicking on it, I can
see the path from the certificate to the non-MS certificate server
certificate (with a yellow triangle) to the ROOT CA certificate. When I
click on the non-MS certificate server certificate in the chain, it says
"This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end entity certificate".
I ran "openssl x509" to look at the cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d5:1b:00:00:00:00:00:04
Signature Algorithm: sha1WithRSAEncryption
Issuer: [email protected], C=US, ST=VA, L=Wherever,
O=ROOT1ORG, OU=ROOT1OU, CN=ROOT1
Validity
Not Before: Mar 2 02:00:32 2005 GMT
Not After : Mar 2 02:10:32 2006 GMT
Subject: emailAddress=foo@foo, C=us, O=ATest1Dept, OU=ATest1Co,
CN=ATest1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:25:e4:8f:24:af:5e:10:4e:a8:59:7b:2f:04:
55:14:e4:c8:ba:9a:a3:76:6e:f9:b8:b7:38:86:d0:
e6:f4:ed:70:f0:bd:ff:86:df:2d:fe:55:7d:0d:14:
0b:c2:e0:1f:c6:7d:f9:a2:ca:80:7b:c8:a8:7d:7a:
1e:9d:6f:07:40:64:0a:a4:17:45:91:1d:e4:9c:17:
2f:1c:bb:ee:35:d0:2c:26:29:8b:24:af:a4:72:73:
4d:e2:43:6c:55:e8:99:3c:ef:a5:74:b8:bc:90:a4:
71:bc:6a:0e:31:22:30:74:04:3c:f9:b7:f4:87:76:
06:12:4b:d9:e7:3a:69:37:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
71:6F:82:77:A7:52:3A:8B:63:A4:9F:33:3E:18:E2
B:A2:88:1B:03X509v3 Authority Key Identifier:
keyid:FB:EF:F5:2F:2C:10:96:E7:80:5B:E7:AA:22:A1:57:70:8D:14:08:70
DirName:/[email protected]/C=US/ST=VA/L=Wherever/O=ROOT1ORG/OU=ROOT1OU/CN=ROOT1
serial:58:66
E:15:3B:C4:1F:BE:40:4E:5E:0D:7C:1C:FD:71X509v3 CRL Distribution Points:
URI:http://dfi2/CertEnroll/ROOT1.crl
URI:file://\\dfi2\CertEnroll\ROOT1.crl
Authority Information Access:
CA Issuers - URI:http://dfi2/CertEnroll/dfi2_ROOT1.crt
CA Issuers - URI:file://\\dfi2\CertEnroll\dfi2_ROOT1.crt
Signature Algorithm: sha1WithRSAEncryption
01:20:d8:da:dc:18:5d:d1:4c:f1:31:bb:60:5c:84:73:1d:c3:
ec:8b:f8:c5:3f:98:d7:bc:4e:8e:f0:d8:26:a4:c3:af:8b:e7:
66:70:0d:d1:00:e1:fe:95:c3:cd:97:e3:75:23:04:bb:d1:a3:
98:9c:76:83:d2:03:bc:48:73:1b
It seems like this certificate is mssing "Basic Constraint - CA" and
several "Key Usages" ("Certificate Sign" and "CRL Sign").
I was wondering if there is there any way to get MS Certificate Services
to create a proper subordinate CA certificate?
Thanks,
Jim
, but I did a quick scan