Solved

Intermediate Certification Authority

Posted on 2009-05-08
5
2,591 Views
Last Modified: 2012-08-13
I am planning to apply Intermediate Certificate Authority's certs to our servers using Group Policy. When I go to group policy Policy Object Name/Computer Configuration/Windows Settings/Security Settings/ Phulic Key Policies/, I don't see Intermediate Certification Authority folder.

Is there a way to apply cert to Intermediate Certificate Authority through GPO?

Thanks
0
Comment
Question by:dongocdung
  • 3
5 Comments
 
LVL 1

Assisted Solution

by:yourbts
yourbts earned 100 total points
ID: 24339402
You can't pulblish intermediate CA certs from WIndows 2003, but can from Windows 2008.

According to Joson Zhou with Microsoft...

"The functionality to import intermediate CA certificates using group policy is available in Windows Server 2008 but not in Windows Server 2003. For Windows 2003 domain, you could write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect. As long as the script is run under the System account it should work.

Certutil f addstore CA <intermediate CA name>.crt

Note: CA is the programmatic name of the Intermediate Certification Authorities store."

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/805285fe-98d7-490f-806a-681221c9ab73
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 400 total points
ID: 24339891
Normally deploying the root cert is good enough through GPO, however if necessary there are a few different methods:

1) Have users install manually (not realistic in most cases) - may require admin rights depending on your security settings.

2) Deploy via GPO under the Trusted Roots container

3) Create a logon script - usually too much work compared to the simple method of #2.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 400 total points
ID: 24339901
To explain a little more from my last post - if the client trusts the root CA cert that the cert is signed under, then the server that is offering the certificate for validation should have the entire certificate chain installed, if it does it will push the rest of the certs for the certificate chaining engine to use.  Also, the AIA should be defined for all CA certs except root, normally similar to the CDP locations.
0
 

Author Comment

by:dongocdung
ID: 24366142
If I installed the certs on one of the domain controlller. Will this replicate to the entire infrastructure?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 400 total points
ID: 24369426
Not sure I follow here.

A DC cert needs to be installed on each DC, this is usually done through autoenrollment if you have enterprise edition OS for your CA and it is running as enterprise CA.  Usually get domain controller authentication and directory email replication certs for each DC (maybe domain controller as well, but this should normally be superceded by default by domain controller authentication template).  Your AD should be at 2003 native mode if possible - if not then just the domain controller template will go through ACRS which is similar to autoenrollment 2000-style if you have 2000 DCs still for some unholy reason.

If you are talking about installed the root or intermediate cert - these should usually be pushed via GPO and will end up on all your domain machines like any other GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

http://technet.microsoft.com/en-us/library/cc738131.aspx

You can have the intermediate pushed to the root area just fine - usually not necessary, but it doesn't hurt any.  If you use a lot of mixed software then it might be worth it, most smaller companies don't need to worry about that, but then most smaller companies aren't rolling out policy CAs either.

If you install manually to the DC due to GPO restrictions to the DC OU, then you would need to repeat for each DC.

You might also want to run 'certutil -dspublish %certserialnumber% to publish it to AD, especially if you have an LDAP location in your AIA.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now