Add timestamp (1.3.6.1.5.5.7.3.8) to an existing EKU of cross signing certificate template

Abdul Khadar 21 Reputation points
2020-10-19T17:25:48.403+00:00

Hi,
I am new to this topic. Requesting some help here -

Recently my company known as A acquired another company called B.
The B company have built their own internal PKI and company A has provided a cross signing certificate from their internal PKI infra to company B for exchanging signed documents and e-mails between the companies.

Now, company A has received a request to add the Time Stamping (1.3.6.1.5.5.7.3.8) to the cross signing certificate and re-issue the certificate.

Questions -

  1. How to inject the Time Stamping (1.3.6.1.5.5.7.3.8) within the cross signing certificate ?
  2. Does company A need to setup timestamp server ?
  3. Does company A need to setup a URL to retrieve the timestamp signature securely from the CA ? Does this URL need to be injected within the cross signing cert ?

Thanking you in advance!!

Regards,
Abdul

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,834 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,276 Reputation points
    2020-10-21T07:39:43.003+00:00

    Hello,

    Thank you so much for posting here.

    Frankly speaking, I am not professional with this issue. I tried to research for some information but failed. Hope someone could share their knowledge or experience here.

    Crypt32 asked how we created the first cross-certificate. We could reply to this question.

    As per my understanding, when duplicating the template, such as Kerberos authentication, the certificate purposes are determined.

    33916-111.png

    Then the servers could request this certificate. When viewing the requested certificate, we could check the Enhanced Key Usage under Details tag of the Certificate.

    33818-112.png

    Thank you so much for your understanding and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Abdul Khadar 21 Reputation points
    2020-10-21T14:03:31.697+00:00

    @Vadims Podāns - How did you create your first cross-certificate? What processes you used?

    Below is the process -
    Company A created 2 new cert templates-

    1. "Cross CA" template. This template is the duplicate of default template "Cross Certification Authority"
    2. "Cross signing" template. This is the duplicate of default "Enrolment Agent" . Application policy is set as "Qualified Subordination"

    Performed below steps to generate Cross Signing cert-

    1. Obtained company B's CA cert.
    2. Created policy.inf file (added few OID's here. such as Document signing)
    3. Logged on to CA server as CA administrator. Manually enrolled cert from "Cross CA" template. This cert is now stored on my user profile.
    4. Ran "certutil -policy" on the CA. When prompted, selected company B's CA cert. When prompted again, selected the policy.inf file.
    5. With the above step, CSR file was generated.
    6. Next, submitted this CSR manually to the CA. Here "Cross signing" template was used. Cert was auto published on company A's Active Directory

    Note-The OID's added in step 2 are reflecting within the EKU of cert signed by "Cross signing" template.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.