Creating Certificate Hierarchies with MS Certificate Server Version 1.0
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
By Rick Johnson, Program Manager, Windows NT Distributed Systems
On This Page
Introduction
Install a Certificate Authority Representing the Root Certificate Authority
Install a Certificate Authority Representing the Subordinate Certificate Authority
Establish Certificate-based Trust Between the Root and the Subordinate
Issue a Certificate to End Entities
Introduction
This document describes how to use Microsoft® Certificate Server version 1.0 and certification authority hierarchies with Microsoft® Exchange Server version 5.5 Service Pack 1.
As noted in the Microsoft® Windows NT® Option Pack release notes, Microsoft Certificate Server 1.0 does not officially support certification authority hierarchies. However, several of the key capabilities of a "certification authority hierarchies" feature do work and can reasonably be used in an implementation with Exchange Server to achieve most of the desirable characteristics of certification authority hierarchies.
This document will discuss first some preliminary information about certificates, certification authorities, and certification authority hierarchies. This will be followed by a discussion of a recommended approach for implementing a straightforward certification authority hierarchy with the Microsoft Certificate Server version 1.0 that could be used with Microsoft Exchange Server version 5.5 Service Pack 1.
Certificates, Certification Authorities, and Certificate Hierarchies
This section gives a quick review of certificates and certification authorities. The RSA FAQ (https://www.rsa.com) describes certificates as "…digital documents attesting to the binding of a public key to an individual or other entity. They allow verification of the claim that a given public key does in fact belong to a given individual. Certificates help prevent someone from using a phony key to impersonate someone else. In their simplest form, certificates contain a public key and a name. As commonly used, a certificate also contains an expiration date, the name of the certifying authority that issued the certificate, a serial number, and perhaps other information. Most importantly, it contains the digital signature of the certificate issuer."
The certification authority (CA) issues certificates based on the receipt of a request to do so and its policy for issuance. CAs can issue certificates both to end users, such as for use by Exchange mail clients, and to other CAs. A certificate issued to an end user is known as an end entitycertificate. The other type of certificate is the CA certificate. CA certificates come in two varieties, root and subordinate. A root certificate is, as it implies, at the top of a tree of trust, and it represents a root CA. Similarly, a subordinate certificate represents a subordinate CA, and its certificate is signed by a "next higher level" CA. This "next higher level" CA may be a root CA, or it may itself be a subordinate CA.
The CA hierarchy is a fundamental element required for creation of a Public Key Infrastructure (PKI). In their basic form, CA hierarchies implement a simple hierarchical model of trust. This is useful for the following reasons:
Scalability
Support for multiple applications
Support for multiple policies
Simplified risk management
For example, consider the following model of a CA hierarchy:
.gif "hier1")
In this model we have a root CA, capable of issuing certificates to other CAs; a subordinate CA, with its certificate issued by the root CA and capable of issuing certificates to end entities (users); and an instance of an end entity certificate, as issued by the subordinate CA.
Starting with the end entity, trust exists from bottom to top. Associated with each certificate, noted as minimally being a "binding" between a public key and a name, is a private key. The private key is used to "sign" the next lower level entity, thus creating the referenced binding. In this case that means that the root signs the subordinate, the subordinate signs the end entity, and the end entity signs documents to be exchanged between participants. The end entity certificate is digitally "signed" by the subordinate CA, the subordinate CA is signed by the root, and the root is signed by itself.
At each level a recipient uses a certificate to authenticate each signature. Thus, a recipient uses the end entity certificate to authenticate the signature on a document, the subordinate CA certificate to authenticate the signature on the end entity certificate, the root certificate to authenticate the signature on the subordinate CA certificate, and the root certificate to authenticate the signature on its own certificate.
Authentication therefore allows a recipient to prove that the signature on a document is rooted in an entity that possesses the private key associated with the root certificate. Similarly, authentication allows the recipient to prove that each entity in the path possesses the private key associated with that entity's certificate. Given that all participants (senders and recipients) implicitly trust the root (certificate and private key), then the veracity of exchanged documents can be proven.
True CA hierarchies, that is, more than the simple hierarchical model of trust described here, are beyond the scope of this document.
Creating a Certificate Hierarchy using Microsoft Certificate Server
The following is an exercise for creating the simple certificate authority hierarchy described above, using Microsoft Certificate Server. To do this, the following steps must be performed:
Install a certificate authority representing the root certificate authority.
Install a certificate authority representing the subordinate certificate authority.
Establish certificate-based trust between the root and the subordinate.
Issue a certificate to end entities.
Install a Certificate Authority Representing the Root Certificate Authority
Microsoft Certificate Server can be installed as part of a Microsoft® Internet Information Server (IIS) 4.0 installation. Each CA to be installed must have its own certificate server, and only one Certificate Server application may be installed on a given computer. Note that IIS 4.0 must be installed on a computer that has Microsoft® Internet Explorer 4.01 previously installed. If Certificate Server is installed as part of an IIS 4.0 installation, perform the following steps:
In the setup window, click Custom setup. The Select Components dialog box appears.
In the Components list box, click Certificate Server. IIS must be selected or already installed.
Click Next. The next several dialog boxes that appear relate to IIS 4.0 installation and the installation of other subsystems. These are not described in this white paper.
In the Microsoft Certificate Server Setup dialog box, type the fully qualified path of a directory in which configuration information will be placed; for example, c:\public. This directory can be either an existing or a nonexisting directory. If it is an existing directory, you can click Browse to find the directory name.
Select the Show Advanced Configuration check box.
.gif "Cc750544.hier2(en-us,TechNet.10).gif")
Click Next. The advanced configuration setup dialog box is displayed. The default options should be set as follows:
CSP: Microsoft Base Cryptographic Provider v1
Hash: SHA-1
The Make this Certificate Server the default check box is selected by default.
Under Certificate Authority Hierarchy, click Root CA.
.gif "Cc750544.hier3(en-us,TechNet.10).gif")
Click Next. The next dialog box allows you to input identifying information for this CA.
Provide the information for each of the requested identifying items.
Item
Information
CA Name
This information is used to create the Distinguished Name (DN) that will be included in the Subject Name and Issuer Name fields of the X.509v3 certificate being created to represent this certificate authority. Check the release notes for the valid characters to use for this field.
Organization
Your company
Organizational Unit
Your organization unit
Locality
Your locality
State
Your state
Country
Your country
CA Description
An identifying comment
The following example reflects the identifying information for the Microsoft Test CA that can be found at https://sectest.microsoft.com.
.gif "Cc750544.hier4(en-us,TechNet.10).gif")
Click Next. When Setup completes and the settings are finalized, you will be prompted to restart the computer to allow the changes made by Setup to take effect.
After you restart the computer, both the Web server and Certificate Server will start automatically.
To verify the Certificate Server has started, type the following command at an MS-DOS® command prompt:
net start
A response similar to the following will appear:
.gif "Cc750544.hier2(en-us,TechNet.10).gif")
.gif "Cc750544.hier3(en-us,TechNet.10).gif")
.gif "Cc750544.hier4(en-us,TechNet.10).gif")
These Windows NT services are started:
Alerter
Certificate Authority
Computer Browser
Content Index
DHCP Client
Event Log
FTP Publishing Service
IIS Admin Service
License Logging Service
Messenger
Microsoft SMTP Service
MSDTC
NT LM Security Support Provider
Plug and Play
Protected Storage
Remote Procedure Call (RPC) Service
Server
Spooler
TCP/IP NetBIOS Helper
Workstation
World Wide Web Publishing Service
The command completed successfully.
Note the reference to the Certificate Authority task. This is the Certificate Server application that you just installed. In the future, if you want to stop Certificate Server, type the following MS-DOS command:
net stop certsvc
Similarly, if you want to manually start Certificate Server, type the following:
net start certsvc
Product documentation for Certificate Server was installed as part of the overall installation of IIS 4.0. (To view the documentation, on the Start menu, click Programs, click Windows NT 4.0 Option Pack, and then click Product Documentation.) Familiarize yourself with this documentation and with the Certificate Server release notes also in that location.
Complete this installation of Certificate Server by installing the root certificate created in the local certificate store for this computer and make it available to IIS 4.0. If you know you will never perform authentications using this certificate or never use features such as SSL Server Authentication, it is okay to skip this step. If you are not sure about this, it is better to do this step now than to spend time later doing unnecessary "problem resolution" when you attempt to use these capabilities.
Start Internet Explorer 4.01 and go to the Certificate Server default page (for example, https://localhost/certsrv). (The default page looks like the following figure.)
.gif "Cc750544.hier5(en-us,TechNet.10).gif")
Click Certificate Enrollment Tools, and then click Install Certificate Authority Certificates. (This brings you to a screen similar to the following.)
.gif "Cc750544.hier6(en-us,TechNet.10).gif")
Click the Certificate for your_CA_name link. A typical file download dialog box will appear, and you will be prompted to open or save this "file" (actually a certificate).
Click Open this file from its current location. Click OK. This starts a certificate-handling MIME handler, which recognizes that this is a certificate file and asks you whether you want to install it. Then the New Site Certificate dialog box appears.
If you want to see what the certificate you are about to install looks like, click View Certificate. Make sure you then click OK to install this certificate.
In the Root Certificate Store dialog box, click Yes.
.gif "Cc750544.hier7(en-us,TechNet.10).gif")
Make sure IIS can find this certificate if the certificate is needed for subsequent server authentication sessions. Type the following MS-DOS command:
%windir%\system32\inetsrv\iisca
The following response will appear:
List of valid Certifying Authorities ( CA ) successfully transferred to IIS
.gif "Cc750544.hier5(en-us,TechNet.10).gif")
.gif "Cc750544.hier6(en-us,TechNet.10).gif")
.gif "Cc750544.hier7(en-us,TechNet.10).gif")
The root certificate authority is now installed and active.
Install a Certificate Authority Representing the Subordinate Certificate Authority
Install a Certificate Authority Representing the Subordinate Certificate Authority
The subordinate CA is the one that issues end entity certificates, such as for mail or client authentication. You must install this CA on a different computer than that used for the root CA in the previous exercise.
Start as before with the installation on the Windows NT 4.0 Option Pack. Perform steps 1 through 7 in the "Install a Certificate Authority Representing the Root Certificate Authority" section earlier in this paper, and then perform the following steps:
Under Certificate Authority Hierarchy, click Non-Root CA., if it is not selected already.
.gif "Cc750544.hier8(en-us,TechNet.10).gif")
Click Next.
Input the identifying information for this CA. For example:
.gif "Cc750544.hier9(en-us,TechNet.10).gif")
Note that the value in the CA Name box is different than that of the root certificate authority.
Click Next. When Setup completes, the following dialog box is displayed.
.gif "Cc750544.hier10(en-us,TechNet.10).gif")
The installation process is indicating that this is an installation for a subordinate CA. The instructions in this dialog box are discussed below. For now, just click OK.
When the settings are finalized, you will be prompted to restart the computer to allow the changes made by Setup to take effect.
When the computer restarts, a message similar to the one that follows probably will appear, indicating that one or more services or drivers failed to start.
.gif "Cc750544.hier11(en-us,TechNet.10).gif")
Receiving this message at this point is to be expected. Installation of Certificate Server includes putting the Certificate Server service in the automatic startup list. Upon restart, the system attempts to start Certificate Server, just as it does the Web server. Certificate Server fails to start because, although all the executable files for Certificate Server are present, the certificate for this CA is not. Another step must be performed to fulfill the certificate for this subordinate CA from its parent. This step is explained in the next section.
.gif "Cc750544.hier8(en-us,TechNet.10).gif")
.gif "Cc750544.hier9(en-us,TechNet.10).gif")
.gif "Cc750544.hier10(en-us,TechNet.10).gif")
.gif "Cc750544.hier11(en-us,TechNet.10).gif")
Establish Certificate-based Trust Between the Root and the Subordinate
On the subordinate CA computer, open an MS-DOS command prompt and change the directory to the Shared Folder directory name specified during installation. List the files present. There will be a file with a name in the form MachineName_SubordinateCAName.req.
This file is a BASE64-encoded PKCS #10 certificate request file. It must be presented to the root CA certificate server. Then the root CA certificate server creates and fulfills the request with a completed certificate that is required to operate the subordinate CA.
Copy the request file to a floppy disk. Carry this disk to the root CA certificate server.
Log on as the administrator at the root CA certificate server. Insert the disk into drive A. Enter the following command from an MS-DOS command prompt, using the name of your certificate request file as a model:
certreq a:\ SubCAMachineName _ SubCAName .req a:\ SubCAMachineName_SubCAName. crt
This will result in the following response:
ICertRequest::GetDispositionMessage --> Issued
Change the directory to the shared folder for the root CA (in the example used for installation of the root CA above, the directory was named C:\Public). Copy the signature certificate file for the root CA found in this directory to the floppy disk.
The disk now contains the following files (italicized names represent the form of the name shown):
SubCAMachineName_SubCAName.req
SubCAMachineName_SubCAName.crt
RootCAMachineName_RootCAName.crt
Return to the subordinate CA computer and log on as administrator. Insert the floppy disk into drive A. From an MS-DOS command prompt, copy the root CA signature certificate to the %SystemRoot%\System32 directory as RootCa.crt. For example:
copy a:\ RootCAMachineName_RootCAName. crt %SystemRoot%\system2\RootCa.crt
Install the fulfilled subordinate CA certificate. Leave the disk in drive A. Copy the fulfilled subordinate CA certificate to the shared folder. The shared folder name was specified at installation time; in this example, we will use c:\public.
copy a:\ SubCAMachineName_SubCAName. crt c:\public
Install the hierarchy by typing the following command:
certhier
Note that you can also install the hierarchy from the Start menu. Click Programs, Windows NT 4.0 Option Pack, Microsoft Certificate Server (Common), Certificate Server Hierarchy Configuration.
Click OK and start Certificate Server either by restarting the computer or by entering the following command:
net start certsvc
Installation of a two-level hierarchy is now complete.
Issue a Certificate to End Entities
This exercise shows you how an end entity (user) can request a certificate (in this case a mail certificate). The example shows a Web-based request and fulfillment. Then you can display the certificate contents at a detail level.
This exercise requires Internet Explorer version 3.02 (with the Authenticode II update) or later. The screen images shown here were created with Internet Explorer version 4.01 running on the same computer as the subordinate CA and the Web server.
Start Internet Explorer and go to the default page for the Certificate Server (https://SubCAMachineName/certsrv).
Click Certificate Enrollment Tools. In the Certificate Enrollment Tools dialog box, click Request a Client Authentication Certificate. The Certificate Enrollment Form dialog box should appear.
.gif "Cc750544.hier12(en-us,TechNet.10).gif")
Type the information requested and click Advanced. The Advanced Settings dialog box should appear.
.gif "Cc750544.hier13(en-us,TechNet.10).gif")
In the Usage list, click E-Mail Protection and then click OK. The previous page will reappear; click Submit Request. The next page indicates that your certificate request is successful.
Click Download to install the certificate issued. The next message prompts you to install the root CA certificate. This means that the end entity certificate has been issued, and the chain, including the root, subordinate, and end entity certificate, has been delivered.
.gif "Cc750544.hier14(en-us,TechNet.10).gif")
Click Yes. The following dialog box appears.
.gif "hier15")
This message indicates that the end entity and subordinate CA certificates are installed.
.gif "Cc750544.hier12(en-us,TechNet.10).gif")
.gif "Cc750544.hier13(en-us,TechNet.10).gif")
.gif "Cc750544.hier14(en-us,TechNet.10).gif")
You can display the presence of the certificates for the root CA, subordinate CA, and end entity (user) mail certificate. To do this, use the Certmgr.exe command-line tool, which is available as part of the Internet Client Solution Developer Kit (InetSDK).
Install Certmgr.exe from the Internet Client SDK. Run each of the following commands from the MS-DOS command prompt:
certmgr -s my -v -c > my.txt
certmgr -s root -v -c > root.txt
certmgr -s ca -v -c > ca.txt
Using a text editor (such as Notepad or Microsoft® Word), you can look at the interpreted contents of each certificate. An example is shown below:
End Entity (User) Mail Certificate
==============Certificate # 1 ==========
Subject::
[0,0] 1.2.840.113549.1.9.1 (E) ValueType: 7
6D 61 69 6C 40 6D 61 69 6C 2E 63 6F 6D 'mail@mail.com'
[1,0] 2.5.4.6 (C) ValueType: 4
75 73 'us'
[2,0] 2.5.4.8 (S) ValueType: 4
77 61 'wa'
[3,0] 2.5.4.7 (L) ValueType: 4
72 65 64 6D 6F 6E 64 'redmond'
[4,0] 2.5.4.10 (O) ValueType: 4
74 65 73 74 6F 72 67 'testorg'
[5,0] 2.5.4.11 (OU) ValueType: 4
74 65 73 74 64 65 70 74 'testdept'
[6,0] 2.5.4.3 (CN) ValueType: 4
65 6D 61 69 6C 63 65 72 74 'emailcert'
Issuer::
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 41 'WA'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 53 75 62 43 41 'PkiTestSubCA'
SerialNumber::
9C 5F E6 00 00 00 03
SHA1 Thumbprint::
9906649B F2EC4D1E 73B14142 25D169AC 3B78E38F
MD5 Thumbprint::
D68ECA8A 9102EEA1 A734BEB7 02B5D17D
Provider Type:: 1 Provider Name:: Microsoft Base Cryptographic Provider v1.0 Container:
c329d203-a716-11d1-891b-00aa00a78143 KeySpec: 1
NotBefore::
Mon Feb 16 13:42:19 1998
NotAfter::
Mon Feb 15 10:44:48 1999
Version:: 2
SignatureAlgorithm:: 1.3.14.3.2.29 (shaRSA)
SignatureAlgorithm.Parameters::
05 00 '..'
SubjectPublicKeyInfo.Algorithm:: 1.2.840.113549.1.1.1 (RSA)
SubjectPublicKeyInfo.Algorithm.Parameters::
05 00 '..'
SubjectPublicKeyInfo.PublicKey (BitLength: 512)
30 47 02 40 74 57 A1 AC 56 F7 56 D2 92 CF 88 C5 '0G.@tW..V.V.....'
0D 37 5C 10 72 6B EB 6C 81 A1 03 F2 C0 E8 DE F4 '.7\.rk.l........'
B8 20 16 27 2B 2D A8 1C 0D 82 F2 81 D4 8D B5 AF '. .'+-..........'
7B 03 94 A7 81 79 4C AC 91 DE 78 53 09 FB 98 FA '{....yL...xS....'
61 FB E5 BD 02 03 01 00 01 'a........'
RSA_CSP_PUBLICKEYBLOB::
06 02 00 00 00 A4 00 00 52 53 41 31 00 02 00 00 '........RSA1....'
01 00 01 00 BD E5 FB 61 FA 98 FB 09 53 78 DE 91 '.......a....Sx..'
AC 4C 79 81 A7 94 03 7B AF B5 8D D4 81 F2 82 0D '.Ly....{........'
1C A8 2D 2B 27 16 20 B8 F4 DE E8 C0 F2 03 A1 81 '..-+'. .........'
6C EB 6B 72 10 5C 37 0D C5 88 CF 92 D2 56 F7 56 'l.kr.\7......V.V'
AC A1 57 74 '..Wt'
Content SignatureAlgorithm:: 1.3.14.3.2.29 (shaRSA)
Content SignatureAlgorithm.Parameters::
05 00 '..'
Content Signature (little endian)::
1D 40 E1 B0 63 78 4D D1 40 AD 33 61 FD A5 65 52 '.@..cxM.@.3a..eR'
3C 04 40 30 3B F8 F6 20 52 41 51 11 47 16 68 34 '<.@0;.. RAQ.G.h4'
4D 38 95 D8 4F F3 D3 2B 57 A0 28 E2 54 29 15 49 'M8..O..+W.(.T).I'
9D 8B 3D CB 34 32 9B 41 BF 84 41 64 2A D3 34 6B '..=.42.A..Ad*.4k'
Extension[0] 2.5.29.15(Key Usage) Critical: False::
03 02 00 38 '...8'
<KeyUsage>
KEY_ENCIPHERMENT DATA_ENCIPHERMENT KEY_AGREEMENT
Extension[1] 2.5.29.37(Enhanced Key Usage) Critical: False::
30 0A 06 08 2B 06 01 05 05 07 03 04 '0...+.......'
<EnhancedKeyUsage>
[0] 1.3.6.1.5.5.7.3.4
Extension[2] 2.5.29.35(Authority Key Identifier) Critical: False::
30 81 BA 80 14 A0 D4 64 94 5C 9C AC C1 D2 54 4B '0......d.\....TK'
68 D4 C7 3A DE 9F 99 AA D3 A1 81 97 A4 81 94 30 'h..:...........0'
81 91 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 '..1.0...U....US1'
13 30 11 06 03 55 04 08 13 0A 57 61 73 68 69 6E '.0...U....Washin'
67 74 6F 6E 31 10 30 0E 06 03 55 04 07 13 07 52 'gton1.0...U....R'
65 64 6D 6F 6E 64 31 1E 30 1C 06 03 55 04 0A 13 'edmond1.0...U...'
15 4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F '.Microsoft Corpo'
72 61 74 69 6F 6E 31 27 30 25 06 03 55 04 0B 13 'ration1'0%..U...'
1E 46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D '.For Test or Dem'
6F 20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 31 'o Purposes Only1'
12 30 10 06 03 55 04 03 13 09 50 6B 69 54 65 73 '.0...U....PkiTes'
74 43 61 82 08 83 6E 95 5C 00 00 00 70 'tCa...n.\...p'
<AuthorityKeyId #2>
KeyId::
A0 D4 64 94 5C 9C AC C1 D2 54 4B 68 D4 C7 3A DE '..d.\....TKh..:.'
9F 99 AA D3 '....'
AuthorityCertIssuer::
[0] DirectoryName:
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 61 73 68 69 6E 67 74 6F 6E 'Washington'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 43 61 'PkiTestCa'
AuthorityCertSerialNumber:: 83 6E 95 5C 00 00 00 70
Extension[3] 2.5.29.31(CRL Distribution Points) Critical: False::
30 74 30 37 A0 35 A0 33 86 31 68 74 74 70 3A 2F '0t07.5.3.1http:/'
2F 52 49 43 4B 4A 32 2F 43 65 72 74 53 72 76 2F '/RICKJ2/CertSrv/'
43 65 72 74 45 6E 72 6F 6C 6C 2F 50 6B 69 54 65 'CertEnroll/PkiTe'
73 74 53 75 62 43 41 2E 63 72 6C 30 39 A0 37 A0 'stSubCA.crl09.7.'
35 86 33 66 69 6C 65 3A 2F 2F 5C 5C 52 49 43 4B '5.3file://\\RICK'
4A 32 5C 43 65 72 74 53 72 76 5C 43 65 72 74 45 'J2\CertSrv\CertE'
6E 72 6F 6C 6C 5C 50 6B 69 54 65 73 74 53 75 62 'nroll\PkiTestSub'
43 41 2E 63 72 6C 'CA.crl'
CRL Distribution Point[0]
FullName:
[0] URL: https://RICKJ2/CertSrv/CertEnroll/PkiTestSubCA.crl
CRL Distribution Point[1]
FullName:
[0] URL: file://\\RICKJ2\CertSrv\CertEnroll\PkiTestSubCA.crl
Extension[4] 2.5.29.19(Basic Constraints) Critical: False::
30 00 '0.'
<Basic Constraints2>
END_ENTITY
PathLenConstraint:: None
Extension[5] 1.3.6.1.5.5.7.1.1(<UNKNOWN OID>) Critical: False::
30 46 30 44 06 08 2B 06 01 05 05 07 30 02 86 38 '0F0D..+.....0..8'
68 74 74 70 3A 2F 2F 52 49 43 4B 4A 32 2F 43 65 'https://RICKJ2/Ce'
72 74 53 72 76 2F 43 65 72 74 45 6E 72 6F 6C 6C 'rtSrv/CertEnroll'
2F 52 49 43 4B 4A 32 5F 50 6B 69 54 65 73 74 53 '/RICKJ2_PkiTestS'
75 62 43 41 2E 63 72 74 'ubCA.crt'
Root CA Certificate
==============Certificate # 1 ==========
Subject::
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 61 73 68 69 6E 67 74 6F 6E 'Washington'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 43 61 'PkiTestCa'
Issuer::
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 61 73 68 69 6E 67 74 6F 6E 'Washington'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 43 61 'PkiTestCa'
SerialNumber::
52 43 05 C9 A0 00 1A 98 11 D1 91 D5 20 87 E0 AD
SHA1 Thumbprint::
DE8FEBE9 DC74AE7A F4CA5F3C FB7ED39C D157D3B4
MD5 Thumbprint::
E99A1A5D 104D4461 6CACA3EF 4E330EB0
NotBefore::
Tue Jan 20 12:52:59 1998
NotAfter::
Mon Jan 20 12:52:59 2003
Version:: 2
SignatureAlgorithm:: 1.2.840.113549.1.1.4 (md5RSA)
SignatureAlgorithm.Parameters::
05 00 '..'
SubjectPublicKeyInfo.Algorithm:: 1.2.840.113549.1.1.1 (RSA)
SubjectPublicKeyInfo.Algorithm.Parameters::
05 00 '..'
SubjectPublicKeyInfo.PublicKey (BitLength: 512)
30 47 02 40 4A 19 B4 FF D2 24 04 76 6F 65 6F 3F '0G.@J....$.voeo?'
9B 9C 3F EF B2 B4 3C 46 55 D8 ED 14 A8 22 ED 61 '..?...<FU....".a'
73 02 11 9A A4 6F C1 46 C1 FC 55 DC 52 9E B4 DE 's....o.F..U.R...'
E9 06 C0 4D 99 15 3F 14 65 FA 76 86 12 B2 37 57 '...M..?.e.v...7W'
72 51 31 1B 02 03 01 00 01 'rQ1......'
RSA_CSP_PUBLICKEYBLOB::
06 02 00 00 00 A4 00 00 52 53 41 31 00 02 00 00 '........RSA1....'
01 00 01 00 1B 31 51 72 57 37 B2 12 86 76 FA 65 '.....1QrW7...v.e'
14 3F 15 99 4D C0 06 E9 DE B4 9E 52 DC 55 FC C1 '.?..M......R.U..'
46 C1 6F A4 9A 11 02 73 61 ED 22 A8 14 ED D8 55 'F.o....sa."....U'
46 3C B4 B2 EF 3F 9C 9B 3F 6F 65 6F 76 04 24 D2 'F<...?..?oeov.$.'
FF B4 19 4A '...J'
Content SignatureAlgorithm:: 1.2.840.113549.1.1.4 (md5RSA)
Content SignatureAlgorithm.Parameters::
05 00 '..'
Content Signature (little endian)::
01 F3 C4 20 A4 E2 97 B7 47 AF E0 38 CC F5 28 9E '... ....G..8..(.'
08 BD 4C 19 FB 7B 8A DA C3 22 8B 53 7F 80 D1 96 '..L..{...".S...'
E5 8A 3C 15 AB 64 D6 7C 72 F5 F4 40 5E 45 94 E7 '..<..d.|r..@^E..'
E9 C2 16 7F 06 29 59 14 F5 CD 9D 13 EE F3 7F 08 '....)Y........'
Extension[0] 2.5.29.15(Key Usage) Critical: False::
03 02 01 C4 '....'
<KeyUsage>
DIGITAL_SIGNATURE NON_REPUDIATION KEY_CERT_SIGN
Extension[1] 2.5.29.19(Basic Constraints) Critical: False::
30 03 01 01 FF '0....'
<Basic Constraints2>
CA
PathLenConstraint:: None
Extension[2] 2.5.29.14(Subject Key Identifier) Critical: False::
04 14 D1 3A E3 E9 E8 66 08 5C F0 B2 37 C9 94 65 '...:...f.\..7..e'
C1 2C AD AF 00 02 '.,....'
<SubjectKeyIdentifer>
D1 3A E3 E9 E8 66 08 5C F0 B2 37 C9 94 65 C1 2C '.:...f.\..7..e.,'
AD AF 00 02 '....'
Subordinate CA Certificate
==============Certificate # 1 ==========
Subject::
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 41 'WA'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 53 75 62 43 41 'PkiTestSubCA'
Issuer::
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 61 73 68 69 6E 67 74 6F 6E 'Washington'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 43 61 'PkiTestCa'
SerialNumber::
83 6E 95 5C 00 00 00 70
SHA1 Thumbprint::
DD76567D 7D9E8A42 E1930E78 76C46C04 2B0AF37E
MD5 Thumbprint::
6B2635B3 14F1CB79 0B4B568B 897CF4A3
NotBefore::
Sun Feb 15 10:44:48 1998
NotAfter::
Mon Feb 15 10:44:48 1999
Version:: 2
SignatureAlgorithm:: 1.2.840.113549.1.1.4 (md5RSA)
SignatureAlgorithm.Parameters::
05 00 '..'
SubjectPublicKeyInfo.Algorithm:: 1.2.840.113549.1.1.1 (RSA)
SubjectPublicKeyInfo.Algorithm.Parameters::
05 00 '..'
SubjectPublicKeyInfo.PublicKey (BitLength: 512)
30 48 02 41 00 91 DE 07 3A 7B A6 D4 80 66 B4 17 '0H.A....:{...f..'
A3 7D 09 20 03 8C 48 3A 8E F3 00 06 48 42 D5 B4 '.}. ..H:....HB..'
FA 59 36 8B 61 2D 2D AA 6A FE 1D D2 17 67 51 65 '.Y6.a--.j....gQe'
F4 9B FD 81 E3 8D B2 A6 AE 16 CC DE 7D 8C 1B 40 '............}..@'
D8 9B 05 18 8B 02 03 01 00 01 '..........'
RSA_CSP_PUBLICKEYBLOB::
06 02 00 00 00 A4 00 00 52 53 41 31 00 02 00 00 '........RSA1....'
01 00 01 00 8B 18 05 9B D8 40 1B 8C 7D DE CC 16 '.........@..}...'
AE A6 B2 8D E3 81 FD 9B F4 65 51 67 17 D2 1D FE '.........eQg....'
6A AA 2D 2D 61 8B 36 59 FA B4 D5 42 48 06 00 F3 'j.--a.6Y...BH...'
8E 3A 48 8C 03 20 09 7D A3 17 B4 66 80 D4 A6 7B '.:H.. .}...f...{'
3A 07 DE 91 ':...'
Content SignatureAlgorithm:: 1.2.840.113549.1.1.4 (md5RSA)
Content SignatureAlgorithm.Parameters::
05 00 '..'
Content Signature (little endian)::
3D B9 4D C4 44 40 4B DE BA 42 0F 06 2F 75 00 20 '=.M.D@K..B../u. '
B7 A9 1A 77 21 61 3E F6 A9 4E 75 78 C1 96 68 5D '...w!a>..Nux..h]'
52 04 73 6C 3F 24 3A 48 70 A7 23 4D E9 D5 32 0E 'R.sl?$:Hp.#M..2.'
1D D6 60 98 E0 5E 41 14 51 67 13 29 20 40 F6 1E '..`..^A.Qg.) @..'
Extension[0] 2.5.29.35(Authority Key Identifier) Critical: False::
30 81 C2 80 14 D1 3A E3 E9 E8 66 08 5C F0 B2 37 '0.....:...f.\..7'
C9 94 65 C1 2C AD AF 00 02 A1 81 97 A4 81 94 30 '..e.,..........0'
81 91 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 '..1.0...U....US1'
13 30 11 06 03 55 04 08 13 0A 57 61 73 68 69 6E '.0...U....Washin'
67 74 6F 6E 31 10 30 0E 06 03 55 04 07 13 07 52 'gton1.0...U....R'
65 64 6D 6F 6E 64 31 1E 30 1C 06 03 55 04 0A 13 'edmond1.0...U...'
15 4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F '.Microsoft Corpo'
72 61 74 69 6F 6E 31 27 30 25 06 03 55 04 0B 13 'ration1'0%..U...'
1E 46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D '.For Test or Dem'
6F 20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 31 'o Purposes Only1'
12 30 10 06 03 55 04 03 13 09 50 6B 69 54 65 73 '.0...U....PkiTes'
74 43 61 82 10 52 43 05 C9 A0 00 1A 98 11 D1 91 'tCa..RC.........'
D5 20 87 E0 AD '. ...'
<AuthorityKeyId #2>
KeyId::
D1 3A E3 E9 E8 66 08 5C F0 B2 37 C9 94 65 C1 2C '.:...f.\..7..e.,'
AD AF 00 02 '....'
AuthorityCertIssuer::
[0] DirectoryName:
[0,0] 2.5.4.6 (C) ValueType: 4
55 53 'US'
[1,0] 2.5.4.8 (S) ValueType: 4
57 61 73 68 69 6E 67 74 6F 6E 'Washington'
[2,0] 2.5.4.7 (L) ValueType: 4
52 65 64 6D 6F 6E 64 'Redmond'
[3,0] 2.5.4.10 (O) ValueType: 4
4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 6F 72 'Microsoft Corpor'
61 74 69 6F 6E 'ation'
[4,0] 2.5.4.11 (OU) ValueType: 4
46 6F 72 20 54 65 73 74 20 6F 72 20 44 65 6D 6F 'For Test or Demo'
20 50 75 72 70 6F 73 65 73 20 4F 6E 6C 79 ' Purposes Only'
[5,0] 2.5.4.3 (CN) ValueType: 4
50 6B 69 54 65 73 74 43 61 'PkiTestCa'
AuthorityCertSerialNumber:: 52 43 05 C9 A0 00 1A 98 11 D1 91 D5 20 87 E0 AD
Extension[1] 2.5.29.31(CRL Distribution Points) Critical: False::
30 70 30 35 A0 33 A0 31 86 2F 68 74 74 70 3A 2F '0p05.3.1./http:/'
2F 53 45 43 54 45 53 54 2F 43 65 72 74 53 72 76 '/SECTEST/CertSrv'
2F 43 65 72 74 45 6E 72 6F 6C 6C 2F 50 6B 69 54 '/CertEnroll/PkiT'
65 73 74 43 61 2E 63 72 6C 30 37 A0 35 A0 33 86 'estCa.crl07.5.3.'
31 66 69 6C 65 3A 2F 2F 5C 5C 53 45 43 54 45 53 '1file://\\SECTES'
54 5C 43 65 72 74 53 72 76 5C 43 65 72 74 45 6E 'T\CertSrv\CertEn'
72 6F 6C 6C 5C 50 6B 69 54 65 73 74 43 61 2E 63 'roll\PkiTestCa.c'
72 6C 'rl'
CRL Distribution Point[0]
FullName:
[0] URL: https://SECTEST/CertSrv/CertEnroll/PkiTestCa.crl
CRL Distribution Point[1]
FullName:
[0] URL: file://\\SECTEST\CertSrv\CertEnroll\PkiTestCa.crl
Extension[2] 2.5.29.19(Basic Constraints) Critical: False::
30 00 '0.'
<Basic Constraints2>
END_ENTITY
PathLenConstraint:: None
Extension[3] 1.3.6.1.5.5.7.1.1(<UNKNOWN OID>) Critical: False::
30 45 30 43 06 08 2B 06 01 05 05 07 30 02 86 37 '0E0C..+.....0..7'
68 74 74 70 3A 2F 2F 53 45 43 54 45 53 54 2F 43 'https://SECTEST/C'
65 72 74 53 72 76 2F 43 65 72 74 45 6E 72 6F 6C 'ertSrv/CertEnrol'
6C 2F 53 45 43 54 45 53 54 5F 50 6B 69 54 65 73 'l/SECTEST_PkiTes'
74 43 61 2E 63 72 74 'tCa.crt'