1

I have deployed a PKI infrastructure with a Stand-Alone Root CA (which will be kept off) and 4 Enterprise SubCA's which depends on this Root CA. To make the computers trust the Root CA, I am going to send the Root CA certificate to the domain computers to be distributed from an AD GPO. The doubt I have is if I also have to distribute the certificates of the SubCA's on the respective computers that are going to use the certificates of this SUBCA.

Thanks

Improve this question
1

1 Answer 1

Reset to default
0

When you push the root out via GPO, I would also push the intermediate certificates.

Per RFC the application serving the certificate to the client is required to send the whole chain to the client. The root certificate may be omitted, but can also be included.

Now there might be some scenarios in which there will be problems in your environment:

  • An application is coded badly and sends only the machine certificate
  • A user uploaded a certificate (from the internal PKI) to an application, but is not aware that he has to upload the whole chain. This causes the application to only present the machine certificate to the client

To sum up you might experience problems, so I would just include the certificates in the same GPO.

Improve this answer
5
  • So it is necessary to distribute the RootCA certificate and the SUBCA certificate by GPO to the computers in order for them to trust these two CAs?
    – Santyuste
    Aug 9 at 6:16
  • It is one way to do it. A certificate can also be published in the domain with command "certutil -dspublish -f root.crt RootCA" where root.crt is your certificate file of the root CA. This populates the certificate store of domain joined machines automatically. You have to do it for the Root when its standalone and not domain joined. I cannot remember doing the same step for the certificate of the intermediate CA, so I guess that cert might be included in the domain automatically when the intermediate CA is domain joined
    – David Trevor
    Aug 9 at 7:27
  • To publish the certificate with the -dspublish command, is it not necessary to change the path in the CA server extensions first, can it be done without adding the LPAD path in the CA server extension? With this command the certificate is then distributed to the computers in the domain?
    – Santyuste
    Aug 17 at 7:47
  • I did change any paths before executing the command and it worked as expected. However in our simple environment we regularly had to push the root CRL list manually via the same command because the RootCA was offline. So it might not be the optimal setup. But this command is how you would publish it.
    – David Trevor
    Aug 17 at 8:13
  • If I add the LDAP path to the Standard CA server extensions, do I have to resend the root certificate to the SubCAs?
    – Santyuste
    Aug 17 at 8:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .