Root CA & Subordinate CA
Hi,
I want to get a certificate from a Root server to a Subordinate server. So my Root server can issue to my Subordinate server a certificate.
how can i do it?
10x
Evgenie
September 17th, 2011 12:10pm
You should start from here:
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspxMy weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2011 1:05pm
Hi,
If the root CA is offline, you can export Certificate on Root CA and transfer it to subordinate CA. Please refer to the "Issuing CA
Installation" section in this article. It has step by step guide:
http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx
Hope it helps.
Regards,
Bruce
September 18th, 2011 4:21am
I want to catch ( man in the middle) the certificate before it goes to sybordinate CA.
How can i do it?
10xEvgenie
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2011 10:12am
can you explain your issue? There is no chances for MitM attack, because certificate don't contains private key, only signed publi information.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
September 18th, 2011 10:34am
Are you sure?Evgenie
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2011 11:09am
yes. Here is a quick view about the process:
subordinate CA generates key pair — public and private; subordinate CA generates request (public key is included in the request) and sign it with the private key. Issuer (in your case — root CA) will use this public key to put it to the certificate and to verify whether the signature can be verified
against provided public key. This will ensure that certificate request wasn't modified.
subordinate CA submits signed request to issuer. Private key is not transfered during this process and always remains on source CA.
issuer (root CA) constructs and signs new certificate with it's own private key.
now you can transfer certificate over public network, because nor request, nor certificate contains private key information.
once retrieved, subordinate CA verifies the certificate and installs it.
As you see all transfered objects (request and certificate) are digitally signed. If someone attempts to modify it's content signature checking will fail. Also, as you can see, private keys always remains on the respective servers and never transfered over
the network.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
September 18th, 2011 11:46am
10x you manEvgenie
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2011 11:55am