How to Create Subordinate CA Certificates with Microsoft Certificate Server

How to Create Subordinate CA Certificates with Microsoft Certificate Server

Created On 09/25/18 19:21 PM - Last Modified 05/31/23 21:38 PM



This document shows how to create a subordinate CA certificate with Microsoft Certificate Server.

  • Access the certificate server interface by browsing to http://<ip-address of cert server>/certsrv.
  • On the welcome screen, select Request a Certificate.
  • On the next page, choose to submit an advanced certificate request.
  • Then choose to Create and Submit a request to the CA.
    On the next form, make sure to select Subordinate Certification Authority from the template pull-down menu. Fill in any information for the certificate (name, contact information, and so on). After submitting the request, a link displays to download the certificate to the local system.


  • After downloading, export the certificatefrom the local certificate store.  In the Internet Options dialog, select the Content tab, then click Certificates. The new certificate can now be exported from the Personal certificate store. Click Export to display the Certificate Export Wizard.
  • On the  Export Wizard , select to export the private key, then select the format. Provide a passphrase and a file name/ location for the resulting file.


The Microsoft certificate server will probably provide the certificate in a PFX format (PKCS #12).

To get the certificateinto the PEM format, follow these steps:

  • Using openSSL, enter openssl pkcs12 –in pfxfilename.pfx –out tempfile.pem
  • Open the tempfile.pemin a text editor.
  • Notice the section beginning with -----BEGIN RSA PRIVATE KEY-----
  • Select all of the text that follows up to -----END RSA PRIVATE KEY----- and put it in a new file with a .key extension.
  • Copy the rest of the text from the .pem file and paste it into another file with a .crt extension.
  • The key file and certificate file are now ready to import.


CLI Commands 

Because some customer's Root CA's do not have a webinterface, the same actions can be used via the cli interface.
On a Microsoft CA the command will be:


certreq -submit -attrib "CertificateTemplate:SubCA" <certificate-signing-request>.csr


In this command you'll get a gui prompt pop up where you select the CA that should sign your request. In Normal situations there will only be one Root CA on the same server so you can select the one that is shown. Afterwards you'll find your request in the pending requests interface of the CA server.


owner: panagent


  • Print
  • Copy Link

Choose Language