Overview (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003)

Applies To: Windows Server 2003 with SP1

Qualified subordination allows an organization to extend its PKI trust hierarchy to other organizations and secondary hierarchies within the same organization. Qualified subordination is also sometimes referred to as cross-certification. While extension of PKI trust was possible in a Windows 2000 network using CTLs, CTLs were limited in how restrictions could be defined between the two organizations. Qualified subordination provides a more flexible and manageable trust mechanism.

When implemented using qualified subordination, each qualified subordinate CA can have rules defined that do the following:

  • Define the namespaces for which your PKI hierarchy will issue and accept trusted certificates

  • Specify the acceptable uses of certificates issued by a qualified subordinate CA

  • Define what issuance practices must be followed for a certificate issued by the qualified subordinate CA to be considered valid

  • Create a managed trust between separate certification hierarchies

Windows Server 2003 Enterprise Edition provides the necessary tools to configure qualified subordination between CAs, so that two organizations can define how certificates will be trusted between the organizations. These tools include the following:

  • Version 2 certificate template Allows CA administrators to modify certificate templates to meet their business purposes. Qualified subordination requires the use of version 2 certificate templates to include policy constraints. Modifications to version 2 templates can include:

    • Creating a new certificate template by duplicating and renaming an existing template

    • Modifying template properties such as certificate validity period, renewal period, cryptographic service provider (CSP), key size, and key archival settings

    • Establishing and applying enrollment policies, issuance policies, and application policies

  • Cross-Certification Authority Certificate A version 2 certificate template that is issued from one CA to another CA establishing qualified subordination between the two certificates. The certificate used to sign the cross-CA certificate enforces the constraints defined in the certificate.

  • Qualified Subordination Signing Certificate A version 2 certificate template that must be manually created; it contains the Qualified Subordination application policy object identifier. This certificate template validates that the holder is approved to sign cross-certification authority certificates.

  • Certutil.exe A command-line program that is installed as part of Certificate Services. It is used to dump and display CA configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

  • Certreq.exe A command-line program that is installed as part of Certificate Services. It is used to request certificates from a CA. In qualified subordination, certreq.exe is used to request the cross-certification authority certificate at the issuing CA.