Security Controls

Requirements and Exceptions

This section identifies the requirements you must meet if you choose to use your own CA to generate a new authority certificate.

You cannot use a server SSL certificate (such as a wild card certificate) as your sub-authority certificate.

Requirements of the New Sub-Authority Certificate

Must have a basic constraints extension

The extension indicates that the certificate is able to issue other certificates. You may choose to specify that the parameter length is 0 (meaning that certificate cannot be used to create an issuing certificate). For more information, see RFC 5280.

Must have KeyCertSign and CrlSign key usage extensions

Must have an associated private key on the Security Controls console machine

Must be located in the computer account's Intermediate Certification Authorities certificate store on the console machine


When you configure your environment to work with a third-party CA, the console will no longer automatically update an expiring root certificate. Security Controls will provide a warning when the certificate is nearing its expiration date, but it will be up to the local administrator to manually create the new certificate using their own CA.

Was this article useful?