Verifying Qualified Subordination

Once you publish the necessary Cross Certification Authority certificates to Active Directory, you should verify their publication. The recommended verification method is the certutil command described here.

1. Open a command prompt.

2. At the command prompt, type certutil -viewstore "CN=C4Name,CN=AIA, CN=Public Key Services,CN=Services,CN=Configuration, ForestRootDN ?crossCertificatePair (where CAName is the name of the CA to which the Cross Certification Authority certificate is issued, and ForestRootDN is the LDAP distinguished name of the forest that issued the Cross Certification Authority certificate).

3. In the View Certificate Store dialog box, select the Cross Certification Authority certificate you want to view and click View Certificate.

4. In the Certificate dialog box, on the Certification Path tab, ensure that the certification path shows that the CAName certificate is chained to your organization's root CA certificate.

This process should be repeated for each Cross Certification Authority certificate published in your organization's Active Directory.

Was this article helpful?

0 0

Post a comment