In our Windows Domain (2008R2 and 2012R2 Servers), we are running a Domain CA. The root certificate is a self-signed certificate.
We also have a x.509 certificate from our internet provider (mostly for our websites), signed by a trusted internet CA.
What i want to do is remove the self-signed root certificate from the Windows CA and replace it with the certificate from our provider.
Two questions: 1. is this even possible? Can i use a certificate from a trusted CA as root certificate for my own CA? 2. will this be possible without rebuiliding the whole domain? I think the domain controlers need the certificates for their LDAP communication, what will happen if i just switch the root certificate they used to create their own certificates?
Thanks for your help!
Sorry this is usually not possible. There are
basic constraintsin X.509 certificate and one of them says if it can sign other certificates. Usually, CAs don't issue such certificates to non-CAs.This is an example of a cert allowed to sign other certs:
This is an example of a normal cert - it's disallowed to sign other certs:
I wouldn't worry about it. Virtually all public CAs have self-signed root certificates, so why shouldn't your private CA have a self-signed root too?