Requirements and Exceptions

This section identifies the requirements you must meet if you choose to use your own CA to generate a new authority certificate.

You cannot use a server SSL certificate (such as a wild card certificate) as your sub-authority certificate.

Requirements of the New Sub-Authority Certificate

When issuing the certificate

Must have a basic constraints extension

The extension indicates that the certificate is able to issue other certificates. You may choose to specify that the path length is 0 (meaning that certificate cannot be used to create an issuing certificate). For more information, see RFC 5280.

Must have KeyCertSign and CrlSign key usage extensions

When installing the certificate on the console machine

Must have an associated private key

Must be located in the computer account's Intermediate Certification Authorities certificate store


When you configure your environment to work with a third-party CA, the console will no longer automatically update an expiring root certificate. Security Controls will provide a warning when the certificate is nearing its expiration date, but it will be up to the local administrator to manually create the new certificate using their own CA.