This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 68%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Dear all,
I'm trying to find documentation on how to create a secondary subCA in a two tier PKI conf.
I've read this link and in step 13 it says:
On Configure CA Name page, clear the existing entry for Common name for this CA box, and enter Fabrikam Issuing CA, then select Next.
For the first subCA I guess this can be whatever name you decided. But for the second subCA, I assume that the name must be different. In this question the answer clearly says:
You have to install a brand new subordinate CA (with different name) under existing root.
But I have not found any official doc where this is stated. Anyone can point me to a doc where this "create a second subCA" process is defined?
The problem I have is that in our company we now have two subCAs with the same subject but different key, and this is creating some SSL spurious problems and I'm not sure if this is coming from the fact that we have two subCAs with the same or not.
And, in a more generic scope, what can be the problems of having 2 subCAs with same name?
TIA
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Arnau
I confirm that there is no microsoft official document that recommends avoiding using the same subject name.
Below some use case impacted by two certificate with same subject:
PK70752: ERROR USING TWO CERTIFICATES WITH THE SAME SUBJECT NAME AND SERIAL NUMBER
Please don't forget to mark helpful answer as accepted
Thanks for your answer.
It goes into the direction of the issue we are facing but it does not clearly says that having 2 issuers with the same Subject is a problem. I'm now reading RFC and openssl docs, if I find something I'll update / close the question
Hello and thanks for your answer.
The key is new but the subject in both is the same. That link you give me is the same I pasted in my original question, but it's not a guide, it's just an answer.
I did not find any docs where it's stated that you have to use a different name (I know it's possible to have multiple subordinates CA with the same, at least according to openssl docs, but I do not know the side effects).
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hi,
Thank you for posting your query.
Kindly follow the steps provided below to resolve your issue.
You have to choose new private key. You cannot install same CA twice. That is, you cannot take a backup of existing subordinate CA and deploy it in another site. You have to install a brand new subordinate CA (with different name) under existing root. Follow same guide you used to deploy existing subordinate CA.
Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/answers/questions/666853/adding-a-subordniate-certificate-authority-to-an-e
Do not hesitate to message us if you need further assistance.
If the answer is helpful kindly click "Accept as Answer" and up vote it.
