Can MS Certificate Services be a Subordinate Enterprise CA beneath a Root CA created with OpenSSL

Yes this is possible, if you consider a few additional configuration entries for the openssl config file.


Suppose a scenario where you want to deploy a multi-tiered certificate authority, using open ssl on a non-networked (offline) device to store your top level Root Certificate Authority (a linux box perhaps).

The device would remain offline to mitigate the network attack vector to steal the private key of the top level Root CA.

Subsequently, a MS Enterprise Subordinate Certificate Authority would be certified in the certificate chain to certify downstream certificates.


The Microsoft Certificate Authority expects valid AIA and CDP locations in the root CA certificate.

These url locations should be entered in the openssl configuration file before creation of the root CA or certification of the MS subordinate enterprise CA.


Setting up a certificate authority with openssl is beyond the scope op this tutorial, but there is a very good tutorial on the subject hosted at https://jamielinux.com/docs/openssl-certificate-authority/index.html


This tutorial assumes that you have set up a Root certificate authority with openssl according above tutorial up until verifying the root certificate, keeping in mind the following additions to the openssl.cnf config file.


As per the tutorial, the openssl config file would reside on the following location: /root/ca/openssl.cnf


Under the [ v3_ca ] and the [ v3_intermediate_ca ] sections the following two lines need to be added:

(these are the valid AIA and CDP locations that the Microsoft CA expects to be present)


authorityInfoAccess = caIssuers;URI:http://root-ca.mydomain.local/root.pem

crlDistributionPoints = URI:http://root-ca.mydomain.local/root.crl


Note that these two files will need to be present on your MS webserver before completion of your certificate signing request from your MS Enterprise Subordinate CA, or else the completion of the certificate signing request will fail because the MS Enterprise Subordinate CA fails to verify the validity of the Root CA Certificate and the Subordinate certificate.

Published by

Ronny Van den Broeck

I'm a network and system engineer for more than 20 years now. During this period I became a pro in hunting down one's and zero's, with an eager mindset to help people accomplish the same or abstract them away from the matrix.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s