Creating Trust Between a Subordinate CA and a Root CA

The Certificate Authority service will not start automatically until you obtain a certificate from another CA using the request file in the Certs directory. You must copy the certificate from the CA directory to the Certs directory, and then run the Certificate Server Hierarchy Configuration tool (Certhier.exe) to establish a trust relationship between the root CA and the subordinate CA.

To create a trust relationship between a subordinate CA and a root CA

1. From the Certs directory on the subordinate CA computer, copy the .req file to a floppy disk.
2. At the root CA computer, log on as an Administrator.
3. From the command prompt, type the following command:

   certreq a:\<filename>.req a:\ <filename>.crt

4. From the shared certificate directory, copy the signature file of the root CA to the floppy disk. The following files are now on the floppy disk:
   • SubMachineName_SubCAName.crt
   • SubMachineName_SubCAName.req
   • RootMachineName_RootCAName.crt
5. From the subordinate CA computer, copy the root CA signature file to the Winnt\System32 directory, and name it RootCa.crt.

   Note This file must be copied as RootCa.crt not RootMachineName_RootCAName.crt, where RootMachineName is the name of your computer, and RootCAName is the name of your CA.

6. Copy the new signed .crt file and the original .req file from the floppy disk to the shared directory.

   Note The subordinate CA certificate is SubMachineName_SubCAName.crt where SubMachineName is the name of the computer where the subordinate CA is installed, and SubCAName is the name of the subordinate CA.

7. Verify that the following registry key value exists. If not, add a new string value.

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\
   Configuration\<SubCAName>\HierFileName

   where <SubCAName> is the name of the subordinate CA. Set the value of the registry key to <path><SubCAName>, where <path> is the complete path to the shared certificate and <SubCAName> is the name of the .req file without the .req extension. For example:

   c:\certs\SubMachineName_SubCAName

8. From the command prompt, run Certhier.exe.
9. In Control Panel, double-click Services, and then start the Certificate Authority service.

© 1998 Microsoft Corporation. All rights reserved.