How to Cross-Certify a Windows Server 2003 Certification Authority with an Entrust CA

This article describes how to configure a Windows Server 2003 certification authority (CA) to cross-certify with other, non-Microsoft CAs.

Note This information is provided "as is." Microsoft does not support the steps that take actions on the Entrust CA. The following steps are based on Entrust version 5.0.

On the Microsoft Enterprise Computer

1. On the Microsoft stand-alone CA computer, visit the following Windows Server 2003 Certificate Services Web page:
   http://ComputerName/certsrv
   where ComputerName is the name of the computer that is acting as the CA.
2. Click Request a certificate, and then click advanced certificate request.
3. Click the Create and submit a request to this CA link.
4. Select the certificate template to use for this request.
5. Click to select the Use existing key set option.
6. Click to select the Store Certificate in the local computer certificate store check box.
7. Under Additional Options, click to select the PKCS 10 check box.
8. Click to select Save request to a file, and then type the location to store the file. Include the file name. For example, type C:\Example\testcert as the full path name.
9. Click Save.
10. Click Yes to accept any security warning prompts, and then click OK.
11. Click to clear the Save request to a file check box.
12. In the Attributes box, type CertificateTemplate:CrossCA.
13. Click Submit to request the certificate.
14. Perform the request, and use the following settings.
    
    Note For a Windows Server 2003 CA, use an advanced naming convention for the domain name.
    1. In the Type of Certificate Needed box, click to select Other.
    2. Leave the OID box blank.
    3. Click the Use existing key set option.
    4. In Container name, type the name of the stand-alone root CA.
    5. Click to select the Store Certificate in the local computer certificate store check box.
    6. Click to select the PKCS 10 check box.
    7. Click to select the Save request to a file check box, and then type the file name in the Full path name box.
    8. Click Save.
    9. Click Yes to accept any security warning prompts, and then click OK.
    10. Click to clear the Save request to a file check box.
    11. Type CertificateTemplate:CrossCA in the Attributes box.
    12. Click Submit to request the certificate.
15. Open a command prompt, locate the folder where you just saved the certificate request, and then encode the file to Base64. To do this, follow these steps:
    1. Click Start, and then click Run.
    2. Type cmd, and then click OK.
    3. Locate the folder that you just saved the request to, and then type the following command:
       certutil -decode name_of_saved_requestnew_name.der
       For example:
       certutil -decode entrustold entrustednew.der
16. Save the new .der file to a floppy disk or to a shared drive.

On the Computer with the Entrust Root Authority

1. Open Entrust Root Authority (RA) with the First Officer account.
2. Expand Certification Authority [CA].
3. Right-click Cross-Certified CAs, and then click Offline Cross-Certification.
4. Click Sign Cross-Certificate for Enterprise/Web.
5. When you are prompted for a Cross-Certificate Request (*.der) file, locate the .der file on the floppy disk or on the shared drive, and then click Open.
   
   Note You cannot use a Base64 request.
6. At Sign Cross-Certificate, click Sign.
7. Click Default Type as the type of cross-certificate to be created.
8. Type the password for the Entrust RA, and then click OK.

From Entrust

Before you continue, modify the Entmgr.ini file that is located in the Entmgrdata\Manager folder. By default, Entrust does not create CDP points in issued certificates. Therefore, you must create and share out this folder expressly for this purpose.

Use the following sample entries as a basis for the entries that you have to insert in the file:

On the Entrust Root Computer

1. Access the Entrust RA by using the First Officer Account.
2. Expand Certification Authority [CA].
3. Right-click Cross-Certified CAs, and then click Offline Cross-Certification.
4. Click Request Cross-certificate for Enterprise/Web
5. Save the CA Cross-Certificate Request to a floppy disk or to a shared disk.
   
   Note It will be saved as a *.der file.

On the Windows Server 2003 Stand-Alone Root CA Computer

1. Copy the Entrust Cross-Certificate Request to a folder on the local drive.
2. Save the request to a folder.
3. Open a command prompt and locate the saved request.
4. At the prompt in the folder where you saved the request, type the following command to encode the file to Base64:
   certutil -encode name_of_saved_requestnew_name.cer
   For example:
   certutil -encode entrustrequest entrustsigned.cer
5. At the command prompt, type certreq -policy. You also must have an enrollment agent certificate with the Qualified Subordination extension and a valid Policy.inf file.
6. At the command prompt, when you receive the message "Open Request File," change Files of type to X.509 Certificate (.cer, .crt). Locate the .cer file from the Entrust CA, and then click Open.
7. At the prompt for the .inf file, locate the .inf file, and then click Open.
8. In the Certificate List dialog box, click the certificate, and then click OK.
9. When you are prompted to save the file, save the file to the location of your choice, and then click Save, and then click OK.
   
   Note You must use an .req extension for this file name.
10. Click Start, point to Administrative Tools, and then click Certification Authority.
11. Right-click the CA server, click All Tasks, and then click Submit new request.
12. Locate the Entrust CMC request, click Open, save the Outfile as a .cer file to a folder, name it something that is easy to remember, and then click Save.
13. At a command prompt, type the following command line to publish the cross-certificate to the domain server:
    certutil -f -dsspublish name_of_cross-cert.cer CrossCA