Partager via


Stand-alone Offline Intermediate CA (IntermediateCA1)

Applies To: Windows Server 2003 with SP1

The stand-alone offline intermediate CA is also described as IntermediateCA1 in this document.

An offline stand-alone intermediate CA is part of a three-tier topology and is primarily used to add another layer of flexibility in an organization. The IntermediateCA1 is required to issue certificates to enterprise CAs that enroll authentication certificates only according to the CPS.

If you plan to implement a two-tier topology, skip this section and go to "Online Enterprise Issuing CAs (CorporateEnt1CA)," later in this paper.

Installation Prerequisites

To correctly install and configure the offline stand-alone intermediate CA, you will need the following:

  • The CPS that has all of the parameters that are specific to your organization. For more information, see "Certificate practice statement," earlier in this paper.

  • The Windows Server 2003 Server installation media

  • Appropriate hardware with a floppy disk drive

  • Two floppy disks, one labeled Transfer-RootCA and the second labeled Transfer-IntermediateCA.

The IntermediateCA1 must be a workgroup member because it is not connected with the network and has no connectivity to a domain controller. It is also important to ensure that the computer name of this server is unique in the organization's network, because the computer name is part of the CA configuration information that is published in Active Directory (For more information, see "Import Parent CA Certificates and CRLs into Active Directory" later in this document.) To ensure that the computer is a workgroup member, log on to the computer that becomes the offline intermediate CA and type the following at a command prompt, and then press ENTER:

net config workstation

If necessary, change the domain membership to a workgroup membership.

Install an HSM on IntermediateCA1

Before the CA setup procedure starts, verify that the Hardware Security Module (HSM) is set up correctly, according to the manufacturer's installation guide. For more information, see "Installing an HSM on an offline root CA" in this document.

Prepare the CAPolicy.inf File for IntermediateCA1

You must provide a CAPolicy.inf file before the CA setup procedure. The most important aspect of the capolicy.inf procedure is to allow all issuance policies at the intermediate level. A root CA always issues a SubCA certificate with all issuance policies allowed. At the intermediate CA level, this attribute must be set explicitly, otherwise it would allow all application policies but no issuing policies. An issuing CA cannot define any issuing policy if the CA certificate does not permit issuing of certificates. For more information, see Chapter 4.2.1.5, "Certificate Policies" at the Internet FAQ Archives Web site.

A stand-alone CA cannot define policies by certificate templates, because this is a feature of customizable V2 templates. A stand-alone CA does not benefit from V2 templates to issue certificates. The CAPolicy.inf file defines the policy that applies to all certificates that are issued by the intermediate CA.

Compared with the CorporateRootCA configuration, the CAPolicy.inf file does not need predefined CRL and AIA extensions because these configuration attributes are inherited from the parent CA which issues the subordinate CA certificate. Remember, that there are prerequisites that a CAPolicy.inf file gets processed properly.

Perform the following steps:

  1. Log on to the IntermediateCA1 computer with administrative privileges.

  2. Use a text editor, such as Notepad, to prepare the CAPolicy.inf file. For a template, use the sample file that is in "Sample CAPolicy.inf file for the IntermediateCA1 later in this paper.

  3. Save the file to %systemroot%\CAPolicy.inf

Obtain the Certificate and Its CRL from CorporateRootCA

Before you can set up the IntermediateCA1 computer, you must install the root CA certificate and the most current CRL that CorporateRootCA provides, because IntermediateCA1 verifies the root certificate trust during installation.

You may need to manually obtain the parent CAs certificate once. After the parent CA has been renewed, a new CA certificate must be imported into the IntermediateCA1 certificate store again. Because the root CA and the intermediate CA are not normally connected to the network and are offline, you cannot make the root CA certificate available via the network to the intermediate CA.

Compared to the CA certificate that can have a long validity time, such as several years, the importing method that you use for the offline parent CA CRL must be performed at regular intervals that correspond to the CRL publication interval. (For more information, see "Configure CRL publication interval by using the user interface," earlier in this paper.) You have to import the offline parent CA CRL regularly because an offline CA cannot retrieve CRLs automatically through the network. You must install a copy of the latest CRL in the local certificate store of an offline CA.

The CRL and the CA certificate are transferred to the subordinate CA computer on a floppy disk in the following configuration steps. The certificate and the CRL are available in a file format on the computer that is running as CorporateRootCA.

To retrieve the CA certificate and CRL:

  1. Log on to the computer that is running the CorporateRootCA as a user.

  2. At a command prompt, type the following command to copy the current certificate to the Transfer-RootCA floppy disk:

    certutil –ca.cert a:\concorp-ca-00_CorporateRootCA.crtc > nul

    Note

    If the CA has already been renewed, there might be more than one CA certificate available. In that case, use the copy command to transfer all CA certificates from the file system to the floppy disk. To do this, at a command prompt, type the following and press ENTER. copy %systemroot%\system32\certsrv\certenroll*.crt a:.

  3. To copy the CRL to a floppy disk, at a command prompt, type:

    certutil -GetCRL a:\CorporateRootCA.crl

  4. Remove the Transfer-RootCA floppy disk from the drive, and then insert the floppy disk into the subordinate CA computer.

    Note

    If the certificate was already renewed, there may be more than one CRL, so it is safest to copy all of the available CRLs from the Systemroot\System32\CertSrv\CertEnroll folder to the disk. However, during initial setup of the root CA, there should be only one CRL in the directory. If a .crl file has a + sign at the end of its name, the Publish Delta CRLs option has not been switched off, as explained in an earlier configuration step.

You can also export a certificate through the Certification Authority MMC snap-in. For more information about how to do this, see "Export the offline intermediate certificate at the root CA" in this document.

Import the Root CA Certificate and CRL to the Intermediate CA

The root CA certificate is required during the installation of the intermediate CA. It must be installed in the intermediate CAs certificate store before the intermediate CA is set up. Use the Certutil.exe command to import CA certificates into the certificate store, as described later in this section. When you do this, the certificates and CRLs are imported in the correct location.

If the CorporateRootCA certificate has been renewed, it is important that you import the entire set of CA certificates and CRLs. A set can be identified by the version number, because the CA certificate and CRL have the same version number.

Example

If CorporateRootCA is running with a certificate that was generated during installation, then the following files must be imported into the intermediate CA.

Table 18 Files to Import With a New Certificate

File name Description

Concorp-ca-00_CorporateRootCA.crt

CA certificate

CorporateRootCA.crl

CRL

As mentioned earlier, you must import the CA certificate and CRL from the CorporateRootCA after the Root CA certificate was renewed. In the example below, note that Windows adds an incremental value to the filename if there is more than one CA certificate and CRL. For example, if the CorporateRootCA has been renewed twice, you must import the following list of files into IntermediateCA1.

Table 19 Files to Import With a Previously-Used Certificate

File name Description

Concorp-ca-00_CorporateRootCA(2).crt

CA certificate

CorporateRootCA(2).crl

CRL

Import the Root CA Certificate and CRL to an Intermediate CA Using the MMC

This section describes how you can import a certificate import by using the Certificates MMC. The following steps about how to import the root CA and CRL to an intermediate CA by using the MMC snap-in are primarily for illustration purposes.

It is easier to import the CA certificates at a command prompt. The procedure for this is given later in this section.

  1. To use the Certificates MMC to import a certificate and CRL, first verify that the CA certificate uses both the correct context and container. Log on to the IntermediateCA1 computer as a local administrator. Local admin permissions are required to import certificates or CRLs into the local systems certificate store.

  2. Click Start, click Run, type mmc.exe, and then press ENTER.

  3. Add the Certificates MMC snap-in:

    1. On the File menu, click Add/Remove Snap-in, and then click Add.

    2. Click Certificates, and then click Add.

    3. Click Computer account, and then click Next.

    4. Click Local computer, and then click Finish.

      Note

      Because there are different certificate stores on a computer, you must select the correct certificate store. The computer account is required because the CA runs as part of the local system security context. Because of this, the CA can gain access to all of the information that is stored in the local computer's certificate store. Only security principals who have administrative permissions on the computer can write certificates to the System certificate store. For detailed description about certificate stores, see the Security chapter of the Windows 2000 Resource Kit on the Microsoft Web site.

    5. Click Close, and then click OK.

  4. Import the certificate. To do this:

    1. Click Certificates, and then, on the View menu, click Options.

    2. Select the Physical certificate stores check box.

    3. In the console tree, double-click Certificates (Local Computer), double-click Trusted Root Certification Authorities, and then double-click Registry.

    4. Right-click Certificates, point to All Tasks, click Import, and then click Next.

    5. Insert the Transfer-RootCA floppy disk into the floppy disk drive, and then click Browse.

    6. Navigate to the certificate file, and then click Open.

    7. Decide the location where you want the certificate stored, click Place all certificates in the following store, and then click Next.

      Note that your current certificate container is the predefined value because the import procedure has been started from there.

    8. After you view the report about which options you selected in the import wizard, click Finish to import the certificate.

    9. After you click Finish, you receive a message that confirms the status of operations. Also, the certificate appears in the list of certificates.

  5. Import the CRL. To do this:

    1. Double-click Certificates (Local Computer), and then double-click Trusted Root Certification Authorities.

    2. Right-click Registry, point to All Tasks, click Import, and then click Next.

    3. Insert the Transfer-RootCA floppy disk into the floppy disk drive, and then click Browse.

    4. Browse to your floppy disk drive, click the CRL file, and then click Open.

    5. Click Place all certificates in the following store to decide in which location the certificate should be stored, and then click Next.

      The registry node that is under Intermediate Certification Authorities is the predefined value because the import procedure has started as an action on the Intermediate Certification Authorities container.

    6. After you review the report that displays the options that you have selected, click Finish to import the certificate.

After you complete this procedure, the CA certificate and the CRL are installed in the local computers certificate store.

Note

You must repeat the steps in this section to import more CRLs and certificates. You must do this if the CorporateRootCA certificate has been renewed or a new version of the CRL has been published.

Find a Certificate in the Certificate Store

If you imported the certificate into the incorrect certificate store, you may want to use the Find Certificates option.

You can also use the Find Certificates option to identify duplicate certificates that exist in several certificate stores. If you correctly set up the certificate, the certificate is kept only one time. If the same certificate appears several times, remove the duplicate certificates and verify that the certificate is stored in the correct container. It is important to know which certificate belongs in which certificate store. For information about how to verify CA certificates, see the "Relationship of the Configuration Container and Certificate Store" section in this document. For more information regarding root certificates, see the articles "Trusted Root Certificates That Are Required By Windows 2000" on the Microsoft Web site and "How to Remove a Root Certificate from the Trusted Root Store" on the Microsoft Knowledge Base.

To find a certificate in the certificate store:

  1. Click Start, click Run, type mmc.exe, and then press ENTER.

  2. Right-click Certificates, and then click Find Certificates.

  3. Choose your search criteria, and then click Find Now.

If your search is successful, you will see a list of certificates and the certificate's corresponding store that match your search criteria.

Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File

To import both the root CA certificate and the CRL from a batch file:

  1. Log on to the IntermediateCA1 computer as a local administrator because local administrative permissions are required to import certificates or CRLs into the local computer's certificate store.

  2. Click Start, click Run, in the Open box, type cmd.exe, and then press ENTER.

  3. Insert the floppy disk labeled Transfer-RootCA into the floppy disk drive on the intermediate CA computer.

  4. At a command prompt, type the following two commands, and then press ENTER.

    for %C in (FloppyDrive:\*.crt) do certutil –addstore –f Root %C

    for %C in (FloppyDrive:\*.crl) do certutil –addstore –f Root %C

    where FloppyDrive is the drive letter of the floppy disk drive.

This will install all certificates and the latest CRL to the appropriate CryptoAPI store. (Note that the loop around the certutil command simplifies the import procedure because there may be more than one certificate or CRL on the floppy disk that needs to be imported.) The optional –f parameter forces an overwrite of the certificate if the certificate has been previously added to the store.

Only valid certificates are imported to the certificate store.

Note

Because it might be difficult to determine which CA certificate or CRL version is required, it is recommended that, if several CRLs exist, you import all CRLs from the root CA. For more information about the CA certificate and CRL storage, see Relationship of the configuration container and certificate store in this white paper.

Verify the Root CA Certificate Import Procedure From a Command Prompt

After both the root CA certificate and CRL are imported, you can use the Certutil.exe utility to confirm that the import procedure was successful. It is important to insure that the certificates have been put into the right certificate stores.

To see a list of certificates that are stored in the root CA certificate store, type the following command at a command prompt:

certutil –verifystore root

The version number is shown as part of the output text that will appear. Confirm that the version number of the CA certificate and the CRL match.

Install the Offline Intermediate CA Software Components

The installation procedure that you use for a subordinate CA is different from the installation procedure that you use for a root CA. Use the following steps to set up IntermediateCA1:

  1. Log onto IntermediateCA1 as a local administrator.

    During the CA installation procedure, this account becomes a CA administrator, which is a role that can also be delegated to other user accounts. For more information about CA roles and permission, see Windows Server 2003 Server Help.

  2. To open the Windows Components Wizard, do one of the following:

    To Do this

    Use a command prompt

    1. Click Start, click Run, and in Open, type cmd, and then click OK.

    2. At the command prompt, type sysocmgr /i:sysoc.inf, and then press ENTER.

    Use Control Panel

    1. Click Start, point to Settings, point to Control Panel, and then click Add or Remove Programs.

    2. In Add or Remove Programs, click Add/Remove Windows Components.

  3. Select the Certificate Services check box, and then click Next.

    To correctly run Certificate Services, the following list of software components is required. Web enrollment and IIS are optional components on an offline Windows Server 2003 CA that could be installed with the CA at the same time or at a later date.

    Note

    As described in "Installing the offline root CA software components" in this document, IIS is not required on an offline CA. However, you can have IIS on the computer in order to enroll certificates through Web enrollment support. IIS is not recommended as a security best practice, but is shown in this document only as an example for the procedures.

    Certificate Services

    • Certificate Services CA

    • Certificate Services Web enrollment support

    Internet Explorer

    Application Server

    • Enable network COM+ access

    • Internet Information Services (IIS)

    • Common Files

    • Internet Information Services Manager

    • World Wide Web services

    • Active Server Pages

    • World Wide Web services

    A Windows 2000 offline CA requires IIS in order to satisfy offline requests. A Windows Server 2003 CA is also able to process offline certificate requests as a function of the Certification Authority MMC. Alternatively, you can submit offline requests from a command prompt by using Certreq.exe.

  4. When you are prompted to choose the type of installation procedure, click Stand-alone subordinate CA, select the Use custom setting to generate the key pair and CA certificates check box, and then click Next.

    The Enterprise Root CA and Enterprise Subordinate CA options are not available because the computer is not a member of an Active Directory domain.

  5. Do one of the following:

    • If you installed an HSM, in CSP, you must select the CSP that you installed during the HSM installation procedure in CSP.

    • If you did not install an HSM, in CSP, click Microsoft Strong Cryptographic Provider.

  6. In Hash algorithm, click SHA-1.

    The default setting, SHA-1, is the most common and interoperable hash algorithm that is used by applications and operating systems. For more information about CSP support on computers that are running Windows 2000, see "Microsoft Enhanced CSP Is Not Supported for Certificate Services Installations" on the Microsoft Knowledge Base.

  7. In Key length, select 2048.

    There is no verification of the key length that you type into the box. Because of this, verify that the key length is interoperable with organizational applications and other PKI components.

  8. Verify that both the Allow this CSP to interact with the desktop and Use an existing key check boxes are cleared, and then click Next.

  9. In Common name for this CA, type a common name for the CA. For this example, type IntermediateCA1.

    As it is specified in the CPS, you must specify the common name (CN) for this CA. The CN cannot exceed 64 characters in length; however, it is recommended that you use a maximum CN length of 51 characters to prevent encoding length rule violation.

  10. (Optional) In Distinguished name suffix, type the distinguished name suffix for the CA, and then click Next.

    If you type a distinguished name suffix in Distinguished name suffix, confirm that you have typed the name correctly so that it works in the context of the Active Directory domain name. In the Contoso scenario, the distinguished name is DC=concorp,DC=contoso,DC=com.

  11. The CA certificate's validity period for a subordinate CA is always determined by the parent CA. For more information, see "Set the validity period for issued certificates at the offline root CA," earlier in this document.

  12. If you have uninstalled a CA on this computer already, you receive a warning message that confirms that you want to overwrite the private key from the previous CA installation. It is recommended that you ensure that the private key is never required again. If you make a backup copy of the system, it is more likely that you will not lose any data. (You can also make a backup copy of the private key as an alternative to a system backup. To do this, at a command prompt, type certutil –backupkey -?) If you are not sure if you want to overwrite the private key, click No to cancel the installation procedure. If you click Yes, a new key is generated and the new key replaces the existing key.

    The key pair is generated by the CSP and written to the local computers key store.

  13. On Certificate Database Settings, confirm that Certificate database, Certificate database log, and Shared folder are set to the folder that you want to use.

  14. (Optional) To install a CA in the same location as a CA that was installed previously, select the Preserve existing certificate database check box, and then click Next.

  15. In Shared folder, confirm that the specified folder is set to a local path, such as C:\CAconfig, and then click Next.

  16. Insert the Transfer-IntermediateCA floppy disk into the disk drive.

  17. On CA Certificate Request, click Save the request to a file and, in Request file, type a name for the request file that will be saved to the floppy disk, and then click Next.

    The file must have a .req extension, such as a:\IntermediateCA1.req.

  18. If you receive a message that IIS must be stopped to continue the installation, click Yes.

    The intermediate CA needs to submit the certificate request to its parent offline CA. Because the CorporateRootCA computer is running without a network connection, you must transfer the requested file on a floppy disk.

    Warning

    Verify that the floppy disk is available before you proceed. If the storage device is not accessible, you receive an error message, the CA setup procedure stops, and you must reinstall the CA. Before you can reinstall the CA, you must uninstall Certificate Services Web-Enrollment Support if it was supposed to be installed.

  19. The Windows Component Wizard completes the certificate services configuration.

    When the CA certificate has obtained a signed subordinate CA certificate from its parent CA, the wizard displays a message which says that the installation has finished. Make sure that the local storage device is available to save the request file, and then click OK.

  20. Click Yes to enable ASP pages that are required for Web enrollment services.

    IIS is installed for illustration purposes as part of this configuration, but Active Server Pages (ASP) pages are not enabled by default. Because of this, the CA setup procedure provides an option to automatically enable the ASP pages.

    If you click No, you can enable ASP by typing certutil –vroot at a command prompt at a later time.

    Art ImageFigure 8: Enable Active Server Pages

  21. After the wizard finishes installing files, click Finish, and then click Close.

  22. Remove the Transfer-IntermediateCA floppy disk from the disk drive, and then take the floppy disk to the parent CA (CorporateRootCA).

Verify the Certificate Request

Before the certificate request is submitted to the parent CA, verify that the policy identifier that you set in the CA configuration through CAPolicy.inf is correct. If the syntax of the CAPolicy.inf file is incorrect, certain configuration information may be missing from the request file. To verify that all configuration information is properly included in the certificate request, view and examine the request file. To verify the request file, at a command prompt, type certutilRequestFile, where RequestFile is the request file that you save to the floppy disk, including the correct path, and then press ENTER.

The command produces output that is similar to the following output. Verify that the Certificate Policies section is correct as well as all of the other information that is specified in the CAPolicy.inf file.

If the Certificate Policies section does not appear in your certificate request, see Prepare the CAPolicy.inf file for IntermediateCA1, in this document, correct the syntax in the CAPolicy.inf file, and then repeat the subordinate CA installation procedure.

Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
    Value[2][0]:
    Unknown Attribute type
Certificate Extensions: 6
    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0
    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        84 b9 bf 37 a7 9b 0d 75 28 62 00 27 bf 72 da d0 66 a5 79 e8
    2.5.29.32: Flags = 0, Length = 139
    Certificate Policies
        [1]Certificate Policy:
             Policy Identifier=1.3.6.1.4.1.311.21.43
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Legal policy statement text.
        [2]Certificate Policy:
             Policy Identifier=1.3.6.1.4.1.311.21.47
             [2,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       https://www.contoso.com/pki/LimitedUsePolicy.htm
             [2,2]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       ftp://ftp.contoso.com/pki/LimitedUsePolicy.txt
             [2,3]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Limited use policy statement text.

Certificate Request Processing with the Root CA through MMC

The subordinate CA certificate request that is saved on the Transfer-IntermediateCA floppy disk must be signed by the parent (CorporateRootCA).

You can submit a request to an offline CA by using either the Certification Authority MMC or the Web Enrollment page that is on the parent Windows Server 2003 CA. You can also submit the request by typing certreq.exe –submit at a command prompt. All methods allow you to submit a certificate request that you have saved to a request file (*.req). This section will present the first method, using the Certification Authority MMC. For more information about using the Web Enrollment page, see "Certificate request processing with the offline parent CA (IntermediateCA1) through Web-Enrollment Support," later in this document.

Warning

If a previous CA setup procedure did not work and you repeat the setup procedure, do not reuse the request file from the earlier CA setup procedure. It has an association with previous key material that will not be associated with the current CA that you are installing.

If a CA is set up, the key material is generated and the certificate request is submitted to the parent CA. The relationship between key material and certificate is maintained by the AKI certificate attribute. To ensure that the association of the CA key pair and certificate request matches, a unique request file must be used when a CA is set up.

  1. Log on to the CorporateRootCA computer as a CA administrator.

    Click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority.

  2. You can also click Start, click Run, type certsrv.msc, and then press ENTER.

  3. In the console tree, right-click the certification authority you are working with, point to All Tasks, and then click Submit new request.

  4. Insert the Transfer-IntermediateCA floppy disk into the CorporateRootCA computer's floppy disk drive, browse to the disk drive, click the certificate request file, and then click Open.

  5. A stand-alone CA typically issues certificates only after a manual issuing process. (You can change the request handling on the Policy Module tab of the CA's Properties.) In the default configuration, you must manually issue the certificate request by the parent CA:

    1. In the Certification Authority MMC console tree, under the name of the CA you are working with, double-click the Pending Requests container.

    2. In the details pane, right-click the appropriate pending certificate request that corresponds to the submitted subordinate CA request, point to All tasks, point to View Attributes, and then click Extensions.

    3. Click Certificate Policies, and then verify that the information is correct.

      If the certificate policy information that is defined in the Intermediate CA's CAPolicy.inf file does not appear here, deny the request and return to "Prepare the CAPolicy.inf file for IntermediateCA1," earlier in this document.

    4. In the console tree, click Pending Requests, and, in the details pane, right-click the pending request, point to All Tasks, and then click Issue.

      The request is processed and the certificate request is removed from the list.

      By default, a stand-alone Windows 2000 or Windows Server 2003 CA issues certificates with only a two-year lifetime. Because the registry key that has an impact on the validity time of the certificate was previously set, the certificate enrollment continues with the value that you specified. For more information, see "Set the validity period for issued certificates at the offline root CA" in this document.

    5. In the console tree, click expand the Issued Certificates container and, in the details pane, right-click the certificate, and then click Open to verify the certificate as described in the next step.

Verify the IntermediateCA1 Certificate

To ensure that the certificate that was issued for IntermediateCA1 has the correct certificate properties, verify the issued certificate:

  1. Because a CA policy is specified for IntermediateCA1, the issued certificate will allow all issuer and all application policies. On the General tab, click Issuer Statement and verify that the certificate is valid for the following purposes:

    • All issuance policies

    • All application policies.

  2. Click Close to return to the certificate viewer.

  3. Click the Details tab, and then verify that the CRL Distribution Points and Authority Information Access values are the same as the distribution points that are specified . Verify other certificate attributes, as required. If values do not match, see "Configure CorporateRootCA distribution points for CRL and AIA," earlier in this document, to help you correct the configuration.

Note

You can also verify the certificate after it has been exported to a file. To view the certificate information from a PKCS #7, .der, or Base64-encoded certificate file, at a command prompt, type the CertFile name and hit ENTER. Replace ,CertFile with the location and file name of the certificate file.

Export the Offline Intermediate Certificate at the Root CA

If the certificate that was issued for the intermediate CA passes the verification steps, export the certificate from the root CA.

Note

Because the Certificate Export Wizard can include the complete certificate path with the exported file, you should use this method instead of the binary export method which only exports a single certificate.

  1. Open the Certification Authority MMC.

  2. In the console tree, under the CA that you want to work with, click Issued Certificates.

  3. In the details pane, double-click the subordinate CA certificate you want to work with, click the Details tab, click Copy to file, and then click Next.

  4. Click Cryptographic Message Syntax Standard – PKCS#7 Certificates (.P7B), select the Include all certificates in the certification path if possible check box, and then click Next.

  5. Type a file name without an extension for the export file, and then save the file on the Transfer-IntermediateCA floppy disk.

    For example, you could type A:\IntermediateCA1. The file is automatically saved on the floppy disk with a .p7b file name extension.

  6. Click Next, click Finish, click OK, and then click OK again.

    The certificate contains only public information, because the key material that is associated with the certificate was generated and is stored on the IntermediateCA1 computer. There is generally no need to protect the certificate information that is stored on the floppy disk. The CA certificate and the parent CA certificates are always considered to be public information.

  7. In the console tree, click Issued Certificates.

  8. Right-click the issued certificate in the details pane, point to All Tasks, and then click Export Binary Data.

    In Columns that contain binary data, Binary Certificate is the default choice.

  9. Click Save binary data to a file, and then click OK.

  10. Insert the Transfer-IntermediateCA floppy disk into the drive, in File name, enter a file name with a .cer extension, and then click Save.

    For example, you could type A:\IntermediateCA1.cer. The certificate is then saved in the DER-encoded file format.

  11. On the File menu, click Exit, and then log off of the CorporateRootCA computer.

Install the Certificate on IntermediateCA1

You have now processed the request that was sent to the root CA and saved it on the Transfer-IntermediateCA floppy disk. You must now install the signed subordinate CA certificate that belongs to IntermediateCA1. You can install the CA certificate either by running a command at a command prompt or by using the Certification Authority MMC. The subordinate CA certificate request will only be accepted by the parent CA if it carries the requesting CAs signature on the request.

Verify the IntermediateCA1 Certificate Trust Chain

To prevent unexplained or unintentional behaviors, verify the certificate trust chain. You must complete the trust chain verification procedure from a command prompt because the trust path that is displayed in the Certification Authority MMC Snap-in uses a different implementation for chain-building.

  1. Log on to the IntermediateCA1 computer as a local administrator

  2. At a command prompt, type

    certutil –verifya:\CACertFile**.crt**

    where a:\CACertFile is the path and name of the file.

  3. Press ENTER to view the full certificate verification results.

This command may generate a lot of output. When dwErrorStatus is not equal to zero, a certificate verification error has occurred, so you should verify that dwErrorStatus is equal to zero (0) on each line that is produced.

You can also use the following command

certutil –verifya:\CACertFile**.crt | findstr /c:dwErrorStatus**

where a:\CACertFile is the path and name of the file.

Output that has completed the CA certificate verification without errors looks like the following sample output:

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0

The certificate verification process retrieves any CRL that is necessary to verify the certificates. After the verification process, cached copies of the CRLs are available in the temporary Internet Explorer folder on the client.

Install the Certificate on IntermediateCA1

After you have verified that the certificate trust chain can be properly built, install the CA certificate.

  1. Log on to the IntermediateCA1 computer as either a CA administrator or local administrator.

  2. Click Start, point to Administrative Tools, and then click Certification Authority to start the Certification Authority MMC Snap-in.

  3. In the console tree, right-click IntermediateCA1, point to All Tasks, and then click Install CA Certificate.

  4. Insert the Transfer-IntermediateCA floppy disk into the floppy disk drive.

  5. Browse to the floppy drive, click IntermediateCA1.p7b, and then click Open.

  6. (Optional) If the parent CA certificate has not been previously trusted, you may receive a message that says that the root certificate is not trusted. Click OK, and then install the root CA certificate to the trusted root CA certificate store on the local computer.

    The root CA of the certificate chain must be locally trusted so that the CA service can start. For more information, see "Import the root CA certificate and CRL to the intermediate CA," earlier in this document.

  7. In the console tree, right-click the name of the stand-alone offline intermediate CA, point to All Tasks, and then click Start Service.

    This brings the stand-alone offline intermediate CA into an operational state by starting the CA service. You can also type net start certsvc at a command prompt.

    Note that, after the CA has been started successfully, the icon that displays the CAs operational state turns into a green check mark.

  8. On the File menu, click Exit to close the Certification Authority MMC.

  9. Log off of the IntermediateCA1 computer.

Continue the installation procedure by following the steps in the Installation cleanup section in this document.

Install the Certificate at IntermediateCA1

To install the certificate at a command prompt:

  1. Log on to the computer as a local administrator with CA Management permissions.

  2. At a command prompt, type

    certutil.exe –installcert A:\IntermediateCA1.p7b

    Note

    If you used a .cer file instead of a p7b file and you receive a warning message at the end of the output such as "A certificate chain was processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)," it is possible that the parent CA certificate has not been imported into the local computer certificate store or that the parent CA certificate has been saved to the wrong store. To correct this error, see "Import the root CA certificate and CRL into an intermediate CA from a batch file," later in this document. To resolve this behavior, you can also use a PKCS#7 file (a .p7b file) that includes the entire certificate chain instead of a binary certificate file.

  3. To start the CA service, at a command prompt, type net start certsvc.

Installation Cleanup

For security reasons, it is recommended that you delete the certificate request file on the Transfer-IntermediateCA floppy disk that you used to generate the CA certificate.

Configure IntermediateCA1

After you complete the steps in the previous sections to configure the offline CA, you can complete the remaining steps for IntermediateCA1 with a batch file script. The difference between the root CA configuration and the subordinate CA configuration is the validity period for issued certificates. To configure the subordinate CA:

  1. Log on to the IntermediateCA1 computer as local or CA administrator.

  2. Start a text editor, such as Notepad.

  3. In this document, copy the sample text in Sample script to configure IntermediateCASample to a new document in the text editor.

  4. Save the text file as %temp%\subcacfg.cmd.

  5. Close the text editor.

  6. At a command prompt, type %temp%\subcacfg.cmd, and then press ENTER.

Include CA Policy in Certificate Requests

The option around the CA issuer and application policies is a choice at which CA level the policy is applied. If you plan to configure a issuer statement at a CA, you must configure the parent CA to add information about the CA policy to its issued certificates. See "Sample CAPolicy.inf file for the IntermediateCA1 later in this paper.

If this configuration step is skipped, an intermediate CA will not accept or allow CA certificate policies from its subordinate CAs. If required, you can apply this configuration step at the time when a issuer or application policy needs to be included in a certificate request from a subordinate CA.

To include a policy in issued certificates, enter the following commands at a command prompt:

certutil -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"

certutil –shudown

net start certsvc

You can disable the setting with certutil -v -setreg policy\EnableRequestExtensionlist "-2.5.29.32"

certutil –shudown

net start certsvc

Verify the IntermediateCA1 Configuration

After you use the steps in the previous sections, ensure that the CA is configured properly and ready for production operations. You should apply the verification steps as described in the following sections in this document because they apply to the intermediate CA the same way as for a root CA:

  • Verify the root CA configuration

  • Verify the CorporateRootCA CRL and AIA configuration

  • Verify the published CRL

Finalize the CA Configuration

After you apply the steps from the previous sections in this document, the intermediate CA is operational and ready to issue certificates.

If you installed a Windows 2000 CA instead of a Windows Server 2003 CA, you should apply the additional configuration steps that are explained in the Disable issuer name and issuer serial number section in this document.