How to Cross-Certify a Microsoft Certification Authority (Windows 2000) with an Entrust CA (280746)

MORE INFORMATION

NOTE: This information is provided "as is." Microsoft does not support the steps that concern actions taken on the Entrust CA. Entrust 5.0 is the version upon which the following steps are based.

On the Microsoft Enterprise Computer

1. On the Microsoft Stand Alone CA computer, access the Web enrollment pages at the following Web address:

   http://computername/certsrv

2. Click Request a certificate, and then click Next.
3. Click Advanced request, and then click Next.
4. Click Submit a certificate request to this CA using a form, and then click Next.
5. Perform the request and use the following settings:
   1. Under Identifying Information, type the name of the CA. Be sure that this information is exactly the same as the CA subject information. Do not modify anything else in this section.
   2. Under Intended Purpose, click Other.
   3. Leave the OID box blank.
   4. Click the Use existing key set option.
   5. In Container name, type the name of the Stand Alone Root CA.
   6. Click to select the Use local machine store check box.
   7. Click to select the Save request to a PKCS #10 file check box.
   8. In Attributes, type CertificateTemplate:SubCA.
6. Save the request to a folder.
7. Open a command prompt and locate the saved request.
8. At the prompt in the folder in which you saved the request, type the following command to encode the file to Base64:

   certutil -decode name of saved requestnew name.der

   For example:

   certutil -decode entrustold entrustednew.der

9. Save the new .der file to a floppy or a shared drive.

On the Computer with the Entrust Root Authority

1. Open Entrust Root Authority (RA) with the First Officer account.
2. Expand Certification Authority [CA].
3. Right-click Cross-Certified CAs, and then click Offline Cross-Certification.
4. Click Sign Cross-Certificate for Enterprise/Web.
5. When you are prompted for a Cross-Certificate Request (*.der) file, locate the .der file on the floppy, and then click Open. Note: You cannot use a Base64 request.
6. At Sign Cross-Certificate, click Sign.
7. Click Default Type as the type of cross-certificate to be created.
8. Type the password for the Entrust RA, and then click OK.

From Entrust

Before continuing, modify the Entmgr.ini file, which is located in the \\Entmgrdata\Manager folder. You have to create and share out this folder expressly for this purpose because, by default, Entrust does not create CDP points in issued certificates.

Use the following sample entries as a basis for the entries that you have to insert into the file:

On the Entrust Root Computer

1. Access the Entrust RA by using the First Officer Account.
2. Expand Certification Authority [CA].
3. Right-click Cross-Certified CAs, and then click Offline Cross-Certification.
4. Click Request Cross-certificate for Enterprise/Web
5. Save the CA Cross-Certificate Request to a floppy or a shared disk. Note: It will be saved as a *.der file.

On the Microsoft Windows 2000 Stand Alone Root CA Computer

1. Copy the Entrust Cross-Certificate Request to a directory on the local drive.
2. Save the request to a directory.
3. Open a command prompt and locate the saved request.
4. At the prompt in the folder in which you saved the request, type the following command to encode the file to Base64:

   certutil -encode name of saved requestnew name.cer

   For example:

   Certutil -encode entrustrequest entrustsigned.cer

Process the Request

Take the new (now Base64) request and use the Web enrollment pages of the Stand Alone CA to process the request:

1. To do this, you must click to select either of the following check boxes:
   • Submit a certificate request by using a base-64-encoded PKCS #10 file
   • Submit a renewal request by using a base-64-encoded PKCS #7 file
   
   
2. Insert the Base64 request in the Saved Request box.
3. In Attributes, type CertificateTemplate:SubCA.
4. Install the issued certificate into the Intermediate Certification Authorities store by using the DSStore tool.