Hello, How do I generate a public key certificate from our CA such that I can send it to partners to import it as a trusted CA on their CA infrastracture. We have standalone Root CA server and online SubCA servers. Both servers run Windows Server 2008 AD Certifcate Services. I use the Root CA to issue a certificate to the SubCA only; the subCA will issue normal certificates to web servers, user accounts, computer accounts, etc. Which server (Root CA or SubCA) should I use to generate a "public key certificate"? How to create the "public key certificate"? Thanks, SJJ123

Depending on partner's PKI: 1) they can install your Root CA's certificate to their Trusted Root CAs store (by publishing it in the AD). 2) they can perform cross-certification (require their own PKI).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, Thank you for your reply. I am asking from my CA infrastructure which CA server should use to generate a certificate and how or what kind of the certificate should be - all from my CA infrastructure. And then the certificate will be send to my partners and they should install it as your reply. Regards, SJJ123

You would simply export the root CA certificate to a Base64 or DER format file. This is the file you would provide to your partner. Now, that being said, I would vote for Vadim's second answer if I were your partner. There is no way in hell I am going to add your company's root CA certificate to my company's trusted root Store. I would use cross-certification to limit how your certificates can be used. I can limit it for namespace, application policy, chain length and/or certificate policy. This allows me to select which specific certificates I trust from your organization, rather than all certificates. See my whitepaper on cross-certification here: http://technet.microsoft.com/en-us/library/cc787237%28WS.10%29.aspx Brian

Hi Brian, Thank you very much for your reply. I will study further re cross-certification as mentioned by you and Vadims. This is what I did for exporting the RootCA certificate: Run Certification Authority console/MMC snap-in Right click on my SubCA and select Properties. Click View Certificate button in General tab. Click Certification Path tab and highlight my RootCA. Click View Certificate button to see details of the RootCA certificate. Click Details tab and click Copy to File. Export the RootCA certificate to a file in DER format. Am I right? Kind regards, SJJ123

Yes, that is correct Brian