Introduction (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003)
Updated: August 13, 2009
Applies To: Windows Server 2003 with SP1
Qualified subordination is the process of cross-certifying Certification Authority (CA) hierarchies using basic, policy, naming, and application constraints to limit which certificates are accepted from partner CA hierarchies or a secondary hierarchy within the same organization. True cross-certification of CA hierarchies in a Windows 2000 network was not possible. The only available alternative was to define Certificate Trust Lists (CTLs) that trusted specific CAs and restricted certificate usage. By using qualified subordination, a CA administrator can clearly define which certificates issued by a partners PKI are trusted by the CA administrators organization. Qualified subordination also provides methods for compartmentalizing and controlling certificate issuance within an organization according to policy guidelines. Examples of both scenarios will be explained in this white paper.
For the purposes of this white paper, the term qualified subordination refers to a cross-certification between two CAs that implements basic constraints, name constraints, application constraints, policy constraints, or a mix of the four constraints. This limits which certificates are trusted from a partner or secondary CA hierarchy according to the rules and definitions defined in RFC 2459 and subsequently RFC 3280.
The scope of this white paper is to describe the ways that qualified subordination is used to govern the relationship between multiple organizations PKI hierarchies. The white paper describes the various constraints that can be implemented to define the relationship between PKI hierarchies, presents qualified subordination scenarios, and provides walkthroughs of the qualified subordination process.
Terms Used in This White Paper
Application Constraints A constraint that limits what purposes a certificate can be used for in a qualified subordination configuration. A presented certificate must contain the required application constraint to be accepted by the partner organization.
Authority Information Access (AIA) A certificate extension that contains URL locations where the issuing CAs certificate can be retrieved. The AIA extension can contain HTTP, FTP, LDAP, or FILE URLs.
Authority Key Identifier (AKI) A certificate extension used by the certificate chaining engine to determine what certificate was used to sign a presented certificate. The AKI can contain the issuer name and serial number, public key information, or no information at all. By matching the information in a certificates AKI extension to a CA certificates Subject Key Identifier (SKI) extension, a certificate chain can be built.
CaPolicy.inf A configuration file stored in the %SystemRoot% folder that defines configuration settings for CAs when they are installed and when the CAs certificate is renewed.
CRL Distribution Point (CDP) A certificate extension that indicates where the certificate revocation list for a CA can be retrieved. This extension can contain multiple HTTP, FTP, File, or LDAP URLs for the retrieval of the CRL.
Certificate Trust List (CTL) A method of restricting certificates chaining to a designated CA for limited time periods or usages. It is used more prevalently in a Windows 2000 network. In a Windows Server 2003 environment, qualified subordination is the preferred method for restricting certificate usage between organizations.
Certificate Revocation List (CRL) A digitally signed list issued by a CA that contains a list of certificates issued by the CA that have been revoked. The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificates revocation status.
Cross-Certification The process of issuing subordinate CA certificates for existing CAs that link two root CAs.
Cross-Certification Authority Certificate A certificate issued by one CA for another CA's signing key pair (that is, for another CA's public verification key).
Name Constraint A constraint that limits what names are permitted or excluded in certificate requests submitted to a CA.
Issuance Policy Constraint A constraint that defines what issuance practices must be followed for certificates to be trusted by your organization. Issuance policy object identifiers (OIDs) in your organization are mapped to the matching object identifiers in a partner organization, so that object identifiers in presented certificates are recognized by your PKI.
Policy.inf A configuration file that defines the constraints that are applied to a CA certificate when qualified subordination is defined.
Public Key Infrastructure (PKI) A PKI provides an organization with the ability to securely exchange data over a public network using public-key cryptography. A PKI consists of CAs that issue digital certificates, directories that store the certificates (including Active Directory in Windows 2000 and Windows Server 2003), and X.509 certificates that are issued to security entities on the network. The PKI provides validation of certificate-based credentials and ensures that the credentials are not revoked, corrupted, or modified.
Qualified Subordination The process of configuring cross-certification with basic constraints, name constraints, application constraints, and issuance policy constraints to govern what certificates are trusted from a partner organization.