Problem: How to create a request for a certificate for installing Standalone subordinate CA using certreq.exe –new request.inf request.req. I am looking on help for contents for request.inf file, which can generate a CA certificate. I am trying to install a standalone subordinate CA on WS 2008 r2 on Azure worker role. As per our application requirement, once a cert has been issued from our CA, we never go back and interact with CA again(for checking issued cert or any other functionality) For us CA is just to issue certs(handle CSR) for our client requests. Because of this we can have multiple machines having CA installed on them (but all the CAs will be installed with same CA certificate, as we do some validation of Root chain for certs issued from our CA). Since we are hosting CA on azure, we want to take advantage of azure scaling for our worker role, hosting CA. So if today we have 2 instances/machines with CA installed, we can on demand increase it to 4 machines. So we have to install CA on 2 new machines, without any human intervention. Because of this automated deployment we can't go with an option of CA installation where we generate a request file and send it to root CA. To overcome the limitation of dynamic CA installation, We are trying to create a CA certificate request from certreq.exe get it signed from Root CA and then upload the certificate to azure. Using CA use existing certificate option we will install CA on multiple azure machines. When we create a request from certreq.exe, we are not able to install the CA with that certificate. Certificate is missing some attributes for it to be considered as CA certificate. Can anyone kindly provide a sample request.inf file which i can provide to certreq -new Request_In.inf request.req to generate a certificate that can be used to install CA on WS 2008 R2. Regards

This guide may help you http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx

for a certficate to work as a CA certficate(intall CA), it should be marked as in inf file [BasicConstraintsExtension] Critical=Yes this adds a basic contraints with Subject Type=CA in the generated certificate. Regardssinghhome

I am repeating a response from certificate guru Vic Heller. FYI: I know that singhhome was able to get the help he required already, so I am just repeating this answer for the benefit of people reading this thread in the future: That could be done, but why not install the first subordinate CA and export the certs and keys using certutil –backupkey? If certreq –new is still the chosen path: certreq –new –v -? will show an example of a text format basic constraints extension in an INF file. For the INF sample below: Change the CACN = line to the CA Subject Common Name to be used for your CA. To avoid SSL applications using the CA cert – do not use the CA machine’s NetBios or DNS name for this. Note that CAs typically use the same name for the first key container. If you need to delete an existing key during testing, or when throwing out an old CA, use certutil –delkey CASubjectCommonName to irretrievably delete the old key. Certreq –new will refuse to overwrite an existing key. Use certreq –q –f INFFile Pkcs10RequestFile to avoid U/I when the template is inaccessible. Remove the CertificateTemplate = line (and the enclosing section) if you don’t want a template reference in the request. [Version] Signature="$Windows NT$ [Strings] CACN = "CASubjectCommonName" szOID_BASIC_CONSTRAINTS2 = "2.5.29.19" [NewRequest] Subject = "CN=%CACN%" KeyContainer = "%CACN%" Exportable = True MachineKeySet = True KeyLength = 2048 KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE" KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG" [RequestAttributes] CertificateTemplate = "SubCA" [Extensions] %szOID_BASIC_CONSTRAINTS2% = "{text}ca=1&pathlength=0" Critical = %szOID_BASIC_CONSTRAINTS2%