Requirements and Exceptions
This section identifies the requirements you must meet if you choose to use your own CA to generate a new authority certificate.
You cannot use a server SSL certificate (such as a wild card certificate) as your sub-authority certificate.
Requirements of the New Sub-Authority Certificate
When issuing the certificate
•Must have a basic constraints extension
The extension indicates that the certificate is able to issue other certificates. You may choose to specify that the path length is 0 (meaning that certificate cannot be used to create an issuing certificate). For more information, see RFC 5280.
•Must have KeyCertSign and CrlSign key usage extensions
When installing the certificate on the console machine
•Must have an associated private key
•Must be located in the computer account's Intermediate Certification Authorities certificate store
When you configure your environment to work with a third-party CA, the console will no longer automatically update an expiring root certificate. Security Controls will provide a warning when the certificate is nearing its expiration date, but it will be up to the local administrator to manually create the new certificate using their own CA.