This page is part of the Common CA Knowledge Database (CCADB): Knowledge base .



Which Intermediate Certificate Data should CAs add to the CCADB?

CAs must add records for: 

  • All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Microsoft’s CA Certificate Program that are not technically constrained. 
    • ​Including every intermediate certificate (chaining up to a root certificate in Microsoft's program with the Websites trust bit enabled) that is not Technically Constrained via Extended Key Usage and Name Constraint settings. 
      • Intermediate certificates are considered to be technically constrained, and do not need to be added to the CCADB if: 
      • The intermediate certificate has the Extended Key Usage (EKU) extension and the EKU does not include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth; or 
      • The EKU extension in the intermediate certificate includes the anyExtendedKeyUsage or id-k​p-serverAuth KeyPurposeIds, and the intermediate certificate includes the Name Constraints extension; or 
      • The root certificate is not enabled with the Websites trust bit.  
  • ​Revoked certificates that were capable of being used to issue new certificates, and which directly or transitively chain to their certificate(s) included in Microsoft and Mozilla’s CA Certificate Program(s)



How to Add an Intermediate Certificate Data to CCADB

To add an intermediate certificate: 

  1. Click on "CA Owners/Certificates" tab.
  2. Find the root certificate that signed the intermediate certificate.
  3. Click on the "New Intermediate Cert" button. This will create a new record for an intermediate cert chaining up to the certificate record you were just viewing. 
  4. Click on the "Add/Update PEM Info" button. This will display a window in which you will paste in the PEM data for the intermediate certificate. 
  5. Copy and paste the PEM data into the window. Starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- 
  6. Click on "Validate PEM Info" button. This will invoke a program that will try to parse the PEM data and extract certain information. 
  7. If the cert check is successful, then click on the "Update Intermediate Cert" button.  ​​
  8. In the intermediate certificate record you will see that the cert data has been filled in. 
    • Review the filled-in information (Issuer and Subject information, and SHA-1 Fingerprint) to ensure it is the data you expected. If the data is not what you expected, then check that you have the correct PEM data for the certificate you intended to add. Check the section titled "PEM Information..." to make sure the PEM is as you intended. There should not be extra characters before or after the PEM, and the PEM data should not have extra line feeds in it. Repeat this process as needed.
  9. Fill in the information in the "Audit Information" and "Policies and Practices Information" sections. The audits and policies must cover the intermediate certificate. 
    • If the information is the same as for the issuing (parent) certificate, then click on the "Edit" button, and check on the "... Same as Parent" check-boxes ("CP/CPS Same as Parent" and "Audits Same as Parent"), then click on the "Save" button. 
    • If the information has some differences from the issuing (parent) certificate, then click on the "Edit" button to enter the audit and policy information. Be sure to click on the "Save" button afterward. 
  10. ​You can repeat this process as many times to add more intermediate certificate to the same root. If you wish to bulk upload intermediate certificates, please refer to the Q&A.

 


​Notes

  • To add an intermediate certificate that is signed by an intermediate certificate (rather than a root certificate), the same instructions apply except that rather than finding the root certificate, find the intermediate certificate and then click on the "New Intermediate Cert" button. 
  • PEM data must be provided for every intermediate certificate (chaining up to a root certificate in Microsoft's program) that is not Technically Constrained via Extended Key Usage and Name Constraint settings. Policy documentation and audit statements must also be provided for these non-technically-constrained intermediate certificates. ​
  • If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason.     

 

See Also