Perform qualified subordination

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To perform qualified subordination

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Create the information file for the qualified subordinate certification authority.

  2. Save the information file as CAPolicy.inf in the systemroot directory on the computer where you are installing the qualified subordinate certification authority.

    For more information, see Notes.

  3. Install the qualified subordinate certification authority.

Notes

  • The information file should contain the certificate extensions needed to specify the qualified subordination constraints for the qualified subordinate certification authority you are installing.

  • When you set up a qualified subordinate CA, you can add a CA policy statement to the CA certificate that is created during setup or a CA certificate renewal, in the form of a text file (CAPolicy.inf) or a pointer to a Web site. The CA policy can contain all the qualified subordination extensions and provide legal and other pertinent information about the CA and its issuing policies, limitations of liability, and so on. An end user will see this CA policy statement when they view the CA certificate and click Issuer Statement.

    For more information about CAPolicy.inf, see "Certificate Services" at the Microsoft Windows Resource Kits Web site.

  • When qualified subordinate CA certificates and cross-certificates are revoked, they should also be deleted from the Active Directory directory service. This deletion is not required for security reasons, but is considered a best practice, as it also removes the certificates from the Local Machine certificates store of client computers.

Using a command line

  1. Open Command Prompt.

  2. Type the following to construct a qualified subordination request from an existing CA certificate or from an existing request:

    certreq-policy[Options] [RequestFileIn [PolicyFileIn[RequestFileOut [PKCS10FileOut]]]]

  3. Type the following to sign the qualified subordination request:

    certreq-sign-certCertId[RequestFileIn[RequestFileOut]]

  4. Type the following to submit the request to the certification authority:

    certreq[-submit] -configCAComputerName**\**CAName[RequestFileIn [CertFileOut[CertChainFileOut [FullResponseFileOut]]]]

  5. Install the enterprise qualified subordinate certification authority.

    For more information, see Related Topics.

Value Description

certreq

Requests certificates from a certification authority (CA) from the command prompt.

-policy

Required. Sets the policy for a request.

-sign

Required. Signs a cross-certification or qualified subordination request.

-certCertId

Option. Specifies the signing certificate by common name, serial number, or by SHA-1 key or certificate hash.

-attribAttributeString

Option. Specifies the Name and Value string pairs, separated by a colon.

-binary

Option. Formats output files as binary instead of Base64-encoded.

-configCAComputerName\CAName

Option. Processes the operation using the CA that is identified in the configuration string specified by CAComputerName\CAName.

Notes

  • Using -config - processes the operation using the default CA.

  • If no -config option is used, the Select Certification Authority dialog box displays a list of all available CAs.

-crl

Option. Includes certificate revocation lists (CRLs) in the Base64-encoded PKCS #7 file, CertChainFileOut, or to the Base64-encoded file, RequestFileOut.

-rpc

Option. Instructs Certificate Services to use the RPC server connection instead of DCOM.

RequestFileIn

Specifies the Base64-encoded or binary input file name. May be a PKCS #10 certificate request, PKCS #7 certificate renewal request, KeyGen tag format certificate request, or a CMC request.

CertFileOut

Specifies to send output to either a binary or a Base64-encoded X.509 file.

CertChainFileOut

Specifies to send output to either a binary or a Base64-encoded PKCS #7 file.

FullResponseFileOut

Specifies to send output to either a binary or a Base64-encoded Full Response file. For -submit, this is the name of the qualified subordinate certificate file (for example, QualifiedSub.cer).

PolicyFileIn

Requires Certificate Services to get input from an .inf file containing a textual representation of extensions that are used to qualify a request.

RequestFileOut

Requires Certificate Services to send output to a Base64-encoded file. RequestFileOut for Step 2 will become RequestFileIn for Step 3.

PKCS10FileOut

Requires Certificate Services to send output to a Base64-encoded PKCS #10 file.

Notes

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type one of the following:

    • certreq -?

    • certreq -policy -?

    • certreq -sign -?

    • certreq -submit -?

  • Signing the qualified subordination request may require Enterprise Administrator credentials. This is a best practice for issuing signing certificates for qualified subordination.

  • The certificate used to sign the qualified subordination request is created using the qualified subordination template. Enterprise Admins will have to sign the request or grant user permissions for the individuals that will sign the certificate.

  • In Step 3, if you omit -cert CertId, you are prompted to supply the name of the signing certificate.

  • When you install a qualified subordinate CA using the certreq command-line tool, the information (.inf) file can have any name. This is different from when you are using an information file as an issuer policy statement. In that case, the information file must be named CAPolicy.inf, as described in the Windows interface procedure above.

  • When you sign the CMC request, you may need to have multiple personnel sign this request, depending on the assurance level that is associated with the qualified subordination.

  • In some cases, if you omit values at the command line, you will be prompted to supply the necessary information.

  • Once the qualified subordination request is signed, it is automatically published to Active Directory.

  • If the parent CA of the qualified subordinate CA you are installing is offline, you must obtain the CA certificate for the qualified subordinate CA from the offline parent. If the parent CA is online, specify the CA certificate for the qualified subordinate CA during the Certificate Services Installation Wizard.

  • When qualified subordinate CA certificates and cross-certificates are revoked, they should also be deleted from Active Directory. This deletion is not required for security reasons, but is considered a best practice as it also removes the certificates from the Local Machine certificates store of client computers.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Installing and configuring a certification authority Install an enterprise subordinate certification authority Install a stand-alone subordinate certification authority Command-line reference A-Z Qualified subordination Qualified subordination overview