Two subordinate CAs with same Subject

Arnau 0 Reputation points
2023-01-24T14:47:17.0433333+00:00

Dear all,

I'm trying to find documentation on how to create a secondary subCA in a two tier PKI conf.
I've read this link and in step 13 it says:

On Configure CA Name page, clear the existing entry for Common name for this CA box, and enter Fabrikam Issuing CA, then select Next.

For the first subCA I guess this can be whatever name you decided. But for the second subCA, I assume that the name must be different. In this question the answer clearly says:

You have to install a brand new subordinate CA (with different name) under existing root.

But I have not found any official doc where this is stated. Anyone can point me to a doc where this "create a second subCA" process is defined?
The problem I have is that in our company we now have two subCAs with the same subject but different key, and this is creating some SSL spurious problems and I'm not sure if this is coming from the fact that we have two subCAs with the same or not.
And, in a more generic scope, what can be the problems of having 2 subCAs with same name?
TIA

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,879 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,526 Reputation points
    2023-01-25T19:16:35.7166667+00:00

    Hi,

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    You have to choose new private key. You cannot install same CA twice. That is, you cannot take a backup of existing subordinate CA and deploy it in another site. You have to install a brand new subordinate CA (with different name) under existing root. Follow same guide you used to deploy existing subordinate CA.

    Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/answers/questions/666853/adding-a-subordniate-certificate-authority-to-an-e

    Do not hesitate to message us if you need further assistance.

    If the answer is helpful kindly click "Accept as Answer" and up vote it.

    0 comments No comments

  2. Arnau 0 Reputation points
    2023-01-26T07:29:57.53+00:00

    Hello and thanks for your answer.

    The key is new but the subject in both is the same. That link you give me is the same I pasted in my original question, but it's not a guide, it's just an answer.

    I did not find any docs where it's stated that you have to use a different name (I know it's possible to have multiple subordinates CA with the same, at least according to openssl docs, but I do not know the side effects).

    Thanks

    0 comments No comments

  3. Thameur-BOURBITA 35,511 Reputation points
    2023-01-26T11:43:03.0966667+00:00

    Hi @Arnau

    I confirm that there is no microsoft official document that recommends avoiding using the same subject name.

    Below some use case impacted by two certificate with same subject:

    PK70752: ERROR USING TWO CERTIFICATES WITH THE SAME SUBJECT NAME AND SERIAL NUMBER

    Multiple root certificates that use the same 'subject' and 'issuer' names may cause TMM to produce a core file

    Please don't forget to mark helpful answer as accepted


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.