Using Qualified Subordination to Restrict Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Many of the certificates that you issue can be used without any further customization. However, you might want to limit the scope of your certificates, whether they are intended to validate a subordinate CA, to cross-certify an external CA, or to enable an end user application. You can limit the scope of a certificate by:

  • Defining the namespaces for which a subordinate CA will issue certificates.

  • Specifying the acceptable uses of certificates issued by a qualified subordinate CA.

  • Creating trust between separate certification hierarchies.

Qualified subordination restricts the certificates issued by the qualified subordinate CA, or by CAs that chain through the qualified subordinate CA, that are acceptable to your organization. You accomplish this by defining the following in the Policy.inf file:

Note

  • The Policy.inf file is different from the CAPolicy.inf file. The Policy.inf file impacts qualified subordination, whereas the CAPolicy.inf file impacts the CA certificate.

    • Basic constraints. Define the certification path length required and allowed for policy identifiers and policy mapping.

    • Name constraints. Define the range of namespaces that are permitted or excluded by the qualified subordinate CA and its subordinates.

    • Issuance policies. Define the extent to which your organization trusts the identity presented in a certificate. These policies are identified in a certificate by object identifiers.

    • Application policies. Define the applications that can be used in conjunction with certain certificates.

In addition, if you are attempting to connect two different PKIs, whether within your organization or with a third-party, you need to use policy mapping to achieve equivalency between the policy constraints that you have defined and the policy constraints defined in the other PKI. The use of constraint extensions and policy mapping allows you to control certificate usage more effectively, and to administer your certificates more effectively.

Qualified subordination allows you to ensure that specific constraints are applied when a CA issues or an application uses a certificate. These constraints ensure that all certificates issued by the CA apply the policy restrictions that you have defined.

By definition, your root CA applies all policies. You can use intermediate CAs to issue certificates that enable different levels of security, such as High Security, Medium Security, and so on. The security policies that you define are identified by means of object identifiers. When certain object identifiers are applied to a CA certificate, all certificates below that CA in the hierarchy must also have a subset of those object identifiers. If you create a certificate chain with no valid policy, any certificates that are issued are considered invalid. However, if you create a certificate chain with no policy object identifiers at all, then the certificates that you issue are considered to match the "any policy" object identifier. Figure 16.16 shows how policy is applied to CAs.

Figure 16.16   How Policy Is Applied to CAs

How Policy Is Applied to CAs

The policies and constraints of each qualified subordinate CA are a subset of the policies and constraints of the parent CA.