Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Intermediate Certification Authority

Posted on 2009-05-08
5
Medium Priority
?
2,676 Views
Last Modified: 2012-08-13
I am planning to apply Intermediate Certificate Authority's certs to our servers using Group Policy. When I go to group policy Policy Object Name/Computer Configuration/Windows Settings/Security Settings/ Phulic Key Policies/, I don't see Intermediate Certification Authority folder.

Is there a way to apply cert to Intermediate Certificate Authority through GPO?

Thanks
0
Comment
Question by:dongocdung
  • 3
5 Comments
 
LVL 1

Assisted Solution

by:yourbts
yourbts earned 300 total points
ID: 24339402
You can't pulblish intermediate CA certs from WIndows 2003, but can from Windows 2008.

According to Joson Zhou with Microsoft...

"The functionality to import intermediate CA certificates using group policy is available in Windows Server 2008 but not in Windows Server 2003. For Windows 2003 domain, you could write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect. As long as the script is run under the System account it should work.

Certutil f addstore CA <intermediate CA name>.crt

Note: CA is the programmatic name of the Intermediate Certification Authorities store."

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/805285fe-98d7-490f-806a-681221c9ab73
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1200 total points
ID: 24339891
Normally deploying the root cert is good enough through GPO, however if necessary there are a few different methods:

1) Have users install manually (not realistic in most cases) - may require admin rights depending on your security settings.

2) Deploy via GPO under the Trusted Roots container

3) Create a logon script - usually too much work compared to the simple method of #2.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1200 total points
ID: 24339901
To explain a little more from my last post - if the client trusts the root CA cert that the cert is signed under, then the server that is offering the certificate for validation should have the entire certificate chain installed, if it does it will push the rest of the certs for the certificate chaining engine to use.  Also, the AIA should be defined for all CA certs except root, normally similar to the CDP locations.
0
 

Author Comment

by:dongocdung
ID: 24366142
If I installed the certs on one of the domain controlller. Will this replicate to the entire infrastructure?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1200 total points
ID: 24369426
Not sure I follow here.

A DC cert needs to be installed on each DC, this is usually done through autoenrollment if you have enterprise edition OS for your CA and it is running as enterprise CA.  Usually get domain controller authentication and directory email replication certs for each DC (maybe domain controller as well, but this should normally be superceded by default by domain controller authentication template).  Your AD should be at 2003 native mode if possible - if not then just the domain controller template will go through ACRS which is similar to autoenrollment 2000-style if you have 2000 DCs still for some unholy reason.

If you are talking about installed the root or intermediate cert - these should usually be pushed via GPO and will end up on all your domain machines like any other GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

http://technet.microsoft.com/en-us/library/cc738131.aspx

You can have the intermediate pushed to the root area just fine - usually not necessary, but it doesn't hurt any.  If you use a lot of mixed software then it might be worth it, most smaller companies don't need to worry about that, but then most smaller companies aren't rolling out policy CAs either.

If you install manually to the DC due to GPO restrictions to the DC OU, then you would need to repeat for each DC.

You might also want to run 'certutil -dspublish %certserialnumber% to publish it to AD, especially if you have an LDAP location in your AIA.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question