Requirements and Exceptions

This section identifies the requirements you must meet if you choose to use your own CA to generate a new authority certificate.

You cannot use a server SSL certificate (such as a wild card certificate) as your sub-authority certificate.

Requirements of the New Sub-Authority Certificate

When issuing the certificate

  • Must have a basic constraints extension
  • The extension indicates that the certificate is able to issue other certificates. You may choose to specify that the path length is 0 (meaning that certificate cannot be used to create an issuing certificate). For more information, see RFC 5280.

  • Must have KeyCertSign and CrlSign key usage extensions
  • Must use DER ASN.1

When installing the certificate on the console machine

  • Must have an associated private key
  • Must be located in the computer account's Intermediate Certification Authorities certificate store


When you configure your environment to work with a third-party CA, the console will no longer automatically update an expiring root certificate. Security Controls will provide a warning when the certificate is nearing its expiration date, but it will be up to the local administrator to manually create the new certificate using their own CA.