Requirements and Exceptions
This section identifies the requirements you must meet if you choose to use your own CA to generate a new authority certificate.
You cannot use a server SSL certificate (such as a wild card certificate) as your sub-authority certificate.
Requirements of the New Sub-Authority Certificate
When issuing the certificate
- Must have a basic constraints extension
- Must have KeyCertSign and CrlSign key usage extensions
- Must use DER ASN.1
- A separate certificate must be issued for each console server - you cannot issue a single certificate for multiple console servers
The extension indicates that the certificate is able to issue other certificates. You may choose to specify that the path length is 0 (meaning that certificate cannot be used to create an issuing certificate). For more information, see RFC 5280.
When installing the certificate on the console machine
- Must have an associated private key
- Must be located in the computer account's Intermediate Certification Authorities certificate store
Exceptions
When you configure your environment to work with a third-party CA, the console will no longer automatically update an expiring root certificate. Security Controls will provide a warning when the certificate is nearing its expiration date, but it will be up to the local administrator to manually create the new certificate using their own CA.