Hi, I want to get a certificate from a Root server to a Subordinate server. So my Root server can issue to my Subordinate server a certificate. how can i do it? 10x Evgenie

You should start from here: http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, If the root CA is offline, you can export Certificate on Root CA and transfer it to subordinate CA. Please refer to the "Issuing CA Installation" section in this article. It has step by step guide: http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx Hope it helps. Regards, Bruce

I want to catch ( man in the middle) the certificate before it goes to sybordinate CA. How can i do it? 10xEvgenie

can you explain your issue? There is no chances for MitM attack, because certificate don't contains private key, only signed publi information.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Are you sure?Evgenie

yes. Here is a quick view about the process: subordinate CA generates key pair — public and private; subordinate CA generates request (public key is included in the request) and sign it with the private key. Issuer (in your case — root CA) will use this public key to put it to the certificate and to verify whether the signature can be verified against provided public key. This will ensure that certificate request wasn't modified. subordinate CA submits signed request to issuer. Private key is not transfered during this process and always remains on source CA. issuer (root CA) constructs and signs new certificate with it's own private key. now you can transfer certificate over public network, because nor request, nor certificate contains private key information. once retrieved, subordinate CA verifies the certificate and installs it. As you see all transfered objects (request and certificate) are digitally signed. If someone attempts to modify it's content signature checking will fail. Also, as you can see, private keys always remains on the respective servers and never transfered over the network.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

10x you manEvgenie