An intermediate certification authority (CA) is a CA that is subordinate to the root CA by one or more levels and typically issues certificates to other CAs in the public key infrastructure (PKI) hierarchy. The other type of subordinate CA is an issuing CA. For native mode communication to be successful in a Configuration Manager 2007 site, the PKI certificates that are used for authentication, encryption, and signing must successfully chain to a trusted root. Certificate chaining is a native process of the Microsoft Windows operating system that involves collecting all the subordinate CAs up to the root CA and validating each certificate in the path. If one certificate in the chain cannot be located or is found to be invalid (for example, expired), the entire chain will be deemed invalid and Configuration Manager 2007 communication will fail.

Windows computers and some devices are automatically configured with some well-known third-party intermediate CAs. However, if you are using a third-party PKI solution, it is best practice to install computer and server certificates with the chain of intermediate CA certificates. Intermediate CAs can be dynamically downloaded during the certificate chaining process if the issued certificate includes URLs to the intermediate CAs in the Authority Information Access (AIA) field, the applications using the certificate allow this behavior, and clients have network access to the intermediate CAs.

In Configuration Manager 2007 native mode, clients can dynamically download the certificates for intermediate CAs as needed if they are not already present in the local computer store. However, Configuration Manager 2007 site systems do not dynamically download intermediate CA certificates.

If you are using Microsoft Enterprise subordinate CAs, you do not need to install intermediate CA certificates on the site systems because these are automatically replicated throughout the forest using Active Directory Domain Services. However, if you are using a third-party PKI solution, ensure the certificate chain is installed with the server certificate.

Check with your PKI documentation for deployment options to install intermediate CA certificates for Configuration Manager 2007 computers that require them.

See Also