Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

AD CS Cross-Certification

Updated: November 27, 2007

Applies To: Windows Server 2008

When a root certification authority (CA) certificate is renewed, both the original root certificate and the renewed root certificate continue to be important in the public key hierarchy. The original root CA certificate remains the ultimate foundation of trust for the hierarchy and helps to validate the certificate chains for all certificates that have been issued under the original hierarchy. The renewed root CA certificate provides the foundation of trust for all certificates that are issued in the hierarchy from the renewal date forward.

To support these scenarios, a pair of cross-CA certificates are also created to establish the trust relationship between the original and renewed root certificate:

  • The first cross-certificate verifies that the original root CA certificate trusts the renewed CA certificate.
  • The second cross-certificate verifies that the renewed CA certificate trusts the original root certificate.

Stand-alone CAs generate self-signed cross-certificates when CA keys are changed. A cross-certificate is generated for each key transition, for the period where the lifetime of each root certificate overlap.

Events

Event ID Source Message

99

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. %2. %3.

102

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. The %2 extension is inconsistent. %3. %4.

Related Management Information

AD CS Certification Authority (CA)

Active Directory Certificate Services

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.