Microsoft CA - Step by step process to sign a root CA by a Public Root CA authority
We have a new customer whoneed to have theirMicrosoft CA implementation publically trusted. They have a Root CA set up and wish to now have that Root CAsigned by a Public Trust Issuer. Can someonepoint me to a reference process on how they effectively turn their current root CA into a subordinate CA and pass the CSR to the Public CA. I want to ideally provide a publically avaialble link to them to highlight the process they need to follow.
December 10th, 2009 1:47pm

In the typical deployment, you are too far down the path.You would establish a subordinate CA below the commercial rootA root CA is self signed and cannot submit its request to another root CA.The only possibility is finding a commercial provider that performs cross-certification (I believe ENtrust might)Also, most will require specific policy requirements, so you may have to choose between tearing down or building a new hierarchy for external trustTo be honest, the actual process is the same as building any subordinate CA from a clicking point of view, just more policy requirements:1) HSMs = definitely2) CP = Most likely3) Annual audits (possibily)Brian
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2009 6:32pm

In addition to Brian's answer I'm attaching some links you might find useful. 1) Globalsign provides a service that allows you to create a trusted subordinate authority, see http://eu.globalsign.com/pki/rootsign.htm2) TC Trustcenter as well, http://www.trustcenter.de/en/products/tc_rootsigning.htm, for sample requirements see https://de.sitestat.com/tc/tcde/s?dc_EN_TCRootSign-StatementServices-0907-en.pdf&ns_type=pdf&ns_url=http://www.trustcenter.de/media/TCRootSign-StatementServices-0907-en.pdfRegardsMartin Rublik
December 11th, 2009 11:58am

Adding to Martin's list of commercial providers offering subordinate CA possibilities: RSA Root Signing Service: http://www.rsa.com/products/keon/datasheets/KRSS_DS_0904.pdf GeoTrust GeoRoot:http://www.geotrust.com/enterprise-ssl-certificates/georoot/index.html ChosenSecurity RootSigning: http://www.chosensecurity.com/stuff/contentmgr/files/0/0138ef0d183910a08369c7d53d7d052e/document/tcrootsign_statementservices_0907_en.pdf Verizon OmniRoot: http://www.verizonbusiness.com/products/security/identity/omniroot/ Brian
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 5:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics