Issuing enterprise subordinate without a root CA


So I know this might be a little strange however I'm trying to set-up an issuing enterprise subordinate without a root CA server.

Now my knowledge on this is very limited and at the moment I'm just playing around with with it. The reason i say without a root CA is because the linux chaps in the IT team have already provided me with a subCA certificate that I just wanted to resign and issue certs on our windows infrastructure.

To be honest I don't even know if this is possible and if so how do I do it? Everything is server 2012 r2 based.

Thank you in advance

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ganesh Kumar ASr Infrastructure SpecialistCommented:
The enterprise root ca and subordinate CA in Windows 2012 is possible, since there is step by step article i am providing link here.

This link provides you steps in better way of your understanding. If you have active directory on your environment it is easier to install and configure Root CA and Subordinate CA.

You can install it on domain controller / member server. In some places you can install it on member server, on limited number of servers in you environment you can have it on DC or ADC. Whichever is feasible to you.
Dave HoweSoftware and Hardware EngineerCommented:
you can't re-sign a changed cert without the secret key to the root ca. However, you don't need the entire server - if you have the PFX file for the root key, you can use any CA engine you have available to sign it (including openssl, xca, java keytools etc)
Pete6748Author Commented:
Thank you for your responses, I'm not sure I understand what you're saying Dave.

I have a .p12 cert signed from our root certificate (I have no control over the root certificate). I also have the password protecting it.

I guess my question should be where do I start? do I still need an offline root CA if I already have a signed subCA already?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Dave HoweSoftware and Hardware EngineerCommented:
the P12 (which is the same file type as a PFX - pkcs#12) is the certificate chain and private key in a single file.  The certificate within that is signed by the issuer's (root's) secret key (not its own secret key) and any change to the certificate will invalidate that signature (that, after all, is why it is digitally signed). To re-sign a changed cert, you need the secret key for the issuer.

Of course, if the cert you have doesn't have a chain limit, you can issue *another* enterprise subordinate CA from the first; you will need to make sure anyone needing to follow the trust chain can find (or has) the cert from the sub CA, but you can do that with (for example) an authority record in the issued third-level CA.

I would personally be concerned about having a P12 issued though; that implies that the issuer has access to the secret key for the new subordinate CA, so can fake valid certificates from that CA if they choose to.
Pete6748Author Commented:
Morning Dave,

Thank you for your response. I found a really good link that I'll post below that describes what I've been trying to get at.
Dave HoweSoftware and Hardware EngineerCommented:
Ah, ok. Yeah, as a matter of policy, I do this myself; the offline root should *not* be a machine (in my opinion, of course) but there should be a valid CRL server for it so that if a intermediate is compromised, you can revoke it. I use XCA for the offline root, and export then print the PEM encoded form of the key and cert onto paper; that goes in an envelope, the envelope is sealed and signed by the CEO, and goes into the corporate safe as a final-failback copy.  

  The working xca keystore goes into a truecrypt container, and a backup of that container is kept. Exported CRL is copied to an internal intranet server, using a unique internal dns name (root-crl.domain.local, so I can move it between physical servers) and used only to issue intermediate CAs with a path constraint of 1.  Export the root cert to group policy, and you are done :D

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete6748Author Commented:
Thanks Dave that's what I was after
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.