Two-level certfication authority RRS feed

  • Question

  • Hi everyone,

    I have two questions, relating to a not so widespread scenario: Two level hierarchy, using an Enterprise Root CA, and an intermediate (issuer) CA. Maybe someone can clafrify this, or point to some good guides.

    1) what is the difference between downloading the certificate of the Root CA and downloading the "certificate chain" of the Root CA (using the /certsrv webpage of the Root CA, not the intermediate one). As I can understand, they should both contain exactly the same certificate: the single Root CA certificate. The only single difference is the extension of these two files: .CER vs .P7B (the useful payload cannot be read by eyes easily, as it is a Base64 file format, so they are not identical)

    2) Do I need to import the whole chain (using the /certsrv webpage of the issuer CA) to establish the trust relationship on a client, that would like to accept a certificate coming from the intermediate CA? Or is it enough to import the single Root CA certificate OR the single intermediate certificate?

    For additional note, it is a 3rd party platform, so it is not using the standard windows certificate stores.

    Thanks in advance.

    Wednesday, September 17, 2008 7:01 AM

All replies

  • You only need to trust the Root CA


    Monday, September 22, 2008 3:59 PM