Need help Cross Signing between 2 RootCAs

[Sir Asvald]

I am following this guide on Creating a trust between 2 RootCAs the link :

 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc785267(v=ws.10)#cross-certification-between-root-cas

 

I am confused How do I do Sign a CrossCA between the 2 RootCAs? Both servers are 2012 R2 DataCenter. If they are already Root CAs?

 

 

[Mikensan]

Microsoft just recommends issuing certs from a CA cross multiple forests without the need to cross sign / trust.

 

https://serverfault.com/questions/703829/cross-forest-certificate-authority

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955845(v=ws.10)

https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

 

[leadeater]

Why bother? Just to see how to do it? I'm not sure of the practical use for this though.

[Jay Deah]

wow thats some old looking document.

 

the normal best practice now would be to have an offline root CA and then subordinate issuing CAs in your seperate forests acting as intermediates. super easy as every forest member can get a cert from its AD integrated CA and you still keep a single root