Is is possible to create a root CA certificate only capable of issueing Client Authentication certificates? The scenarios is we have a business partner who would like to utilize client side certs for an additional layer of security. While this is nice, they would like to utilize their own CA to sign these client authentication certificates. I have a problem with this because now all our clients will need their root CA to be in our trusted CA list which basically lowers our security posture becuase if their CA is ever compromised it could be used to issue certs for which our clients would trust (i.e. microsoft .com). While this scenario is not very likely, there is still some risk here. So... I'm wondering if a root CA certificate can be created such that the basic constraints (extension) limits this certificates usage to only signing client authentication certs? Thus, with this CA installed our clients will allow the client authentication certificate to be imported clientside while still limited this power of this CA. When the clients communicate with the partner the partner needs to make sure they have certs signed by a trusted 3rd party (for example, the web portal would NOT be signed by their CA, but rather Verisign or someone else already trusted). Maybe I'm missing something here - I don't claim to be a certificate guru :) Thanks, Jeff

I would never agree to this. *Your* organization issues certificates to *your* employees. 1) Issue your own client authentication certificate. 2) Have the partner cross-certify with your PKI so that they trust only certificates for the application policy = Client Authentication 3) Never add a partner's CA to your trusted root store 4) Never let a partner issue certificates to your employees From the partner's perspective, the certificates will chain to *their* root CA From your perspective, the certificates will chain to *your* CA. For details, see my whitepaper on Qualified Subordination http://technet.microsoft.com/en-us/library/cc787237%28v=ws.10%29.aspx Brian

Brian, Thanks for the reply. While I completely agree with you, I dont' think this will be an option because I doubt the vendor's system will support us using our own certs. I'm guessing that they will have no facility to map our certificates to users within their system. Today, the users have a username and password for the vendor portal. When they signin they are required to request a client auth cert from their system which will be used from that point forward for application access. I'm guessing that they have no facility to map our certs to their system. Unfortunately, most of these systems are designed to scale to organization with very little technical knowledge. I will ask them though :) I'm going to be taking a look at your papers because they look very informative. I guess I'm left with my initial question: Is is possible to create a root CA certificate only capable of issueing Client Authentication certificates? This way we could at a minimum suggest that the vendor change their cert to limit everyone's exposure? Jeff