Hi, I need to setup cross certification (with Qualified Subordination) to enable signed code developed in our test environment to be trusted by our production environment. In each environments forest we have a root CA and 2 level 1 policy/issuing CAs. I want it so that our production environment trusts all certificates issued by the test Root CA downwards (as there are a couple of level 1 CAs for different assurance levels) From the issuing CA in production I have issued a Cross Certification certificate to the Root CA in test (using qualified subordination to limit it to code signing only). The code signing certificate was issued from an issuing CA in test. I am distributing the code signing certificate as a trusted publisher certificate using software restriction policies. Everything validates ok only if place a copy of the Test subordinate CA certificate in intermediate certification authorities store.My question is do I need to distribute the level 1 test CA certificates as intermediate certificates in production to allow the certificate chain to validate up to the Cross Certification certificate? If so how do I distribute it as an intermediate certificate? Thanks for any advice!Pete

Hi Pete, Yes, you need to import the certificate of the Test subCA into the intermediate certification authorities store If the computer cannot download it from the AIA location. For Windows Server 2008, we can deploy intermediate certification authority certificates by using Group Policy: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Intermediate Certification Authorities. For Windows Server 2003, there is no group policy to import intermediate certification authority certificates. However, we can use the following command to import the intermdiate CA certificate into the comptuers. certutil -addstore CA "Path to the Test subCA certificate" Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Joson,Thanks for the reply - I thought that would be the case.The computers cannot download it from the AIA location and we do not currently have Windows Server 2008 DCs (yet another goodreason to upgrade!).I guess that leaves me with the option of deploying the intermediate CA cert to all computers with certutil orvia a script but this is not ideal as there are several thousand workstations that would require it.Would you suggest the best option would be to issue a cross certification certificate to the subordinate CA instead?Pete

Hi Pete, You may consider using startup script (Group Policy) to deploy the intermediate CA certificate. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.