AD CS Cross-Certification

Applies To: Windows Server 2008 R2

When a root certification authority (CA) certificate is renewed, both the original root certificate and the renewed root certificate continue to be important in the public key hierarchy. The original root CA certificate remains the ultimate foundation of trust for the hierarchy and helps to validate the certificate chains for all certificates that have been issued under the original hierarchy. The renewed root CA certificate provides the foundation of trust for all certificates that are issued in the hierarchy from the renewal date forward.

To support these scenarios, a pair of cross-CA certificates are also created to establish the trust relationship between the original and renewed root certificate:

  • The first cross-certificate verifies that the original root CA certificate trusts the renewed CA certificate.
  • The second cross-certificate verifies that the renewed CA certificate trusts the original root certificate.

Stand-alone CAs generate self-signed cross-certificates when CA keys are changed. A cross-certificate is generated for each key transition, for the period where the lifetime of each root certificate overlap.

Events

Event ID Source Message

99

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. %2. %3.

102

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. The %2 extension is inconsistent. %3. %4.

AD CS Certification Authority (CA)

Active Directory Certificate Services