Create Subordinate certificate

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of TeeStar TeeStar 1 month, 2 weeks ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #49502
    Profile photo of TeeStar
    TeeStar
    Participant

    Hi all

    I am working on creating a few certificates using New-SelfSignedCertificate cmdlet for a test lab. The first certificate is my root. The second certificate is the subordinate. What I want to do is be able to sign other certificates using the subordinate certificate. I have no issues creating the subordinate certificate from the root certificate. When I try and sign a new certificate from the subordinate, I don't get any error from PowerShell but the resulting certificate has this error

    'This certificate is not vaild because one of the certificate authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate.'

    Under the Certification Path tab the subordinate certificate says this

    'This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate.'

    The commands I am using are

    For root
    $Cert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -TextExtension @("2.5.29.19 ={text}CA:true") -FriendlyName "testRoot": -Subject "testRoot" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\My -dnsname "mydomain.com"

    I manually copy this cert to Cert:\localmachine\root

    For subordinate
    $SubCert=New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -KeyUsageProperty All -HashAlgorithm SHA256 -Subject "testSubordinate" -KeyLength 4096 -Signer $Cert -FriendlyName "SubCA-01" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com"

    Any other certificate I try and create I use this
    $NewCert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment -KeyUsageProperty All -HashAlgorithm SHA256 -Subject "Win10E-VM02" -KeyLength $KeyLength -Signer $SubCert -FriendlyName "SubCA-01" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com"

    If I try and modify the -TextExtension PowerShell gives an error that the parameter is incorrect.

    Any help would be appreciated

    Thanks
    Tim

    #49504
    Profile photo of TomBaker
    TomBaker
    Participant
    $RootCACert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "testRootCA" -FriendlyName "testRoot"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\My -dnsname "mydomain.com" -TextExtension @("2.5.29.19 ={text}CA:true")
    $IMCACert  = New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "testSubCA1" -FriendlyName "SubCA-01"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com" -TextExtension @("2.5.29.19 ={text}CA:true") -Signer $RootCACert
    $TestCert  = New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment           -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "test-VM02"  -FriendlyName "Test-VM02" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com" -Signer $IMCACert 
    
    • Add -TextExtension to the IMCA Cert line
    • Add -Provider to both IMCA and TestCert
    • This reply was modified 1 month, 2 weeks ago by Profile photo of TomBaker TomBaker.
    #49587
    Profile photo of TeeStar
    TeeStar
    Participant

    Thanks, I found it. For the Root certificate this is needed

    -TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3")

    Where ca=1 defines the cert as a signing CA and pathlength=3 is arbitrary- it defines how many SubCa's can be present

    For the Subordinate certificate

    -TextExtension @("2.5.29.19 = {critical} {text}ca=1&pathlength=0")

    Where ca=1 defines the cert as a signing CA and pathlength=0 defines that there is no other signing CA'a below this one.

    I got this information from the certutil help page. I have implemented this and it does work as intended. If anyone is interested in the script I have created, let me know I would be happy to share

    Thanks again
    Tim

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.