Solved

Intermediate Certification Authority

Posted on 2009-05-08
5
2,619 Views
Last Modified: 2012-08-13
I am planning to apply Intermediate Certificate Authority's certs to our servers using Group Policy. When I go to group policy Policy Object Name/Computer Configuration/Windows Settings/Security Settings/ Phulic Key Policies/, I don't see Intermediate Certification Authority folder.

Is there a way to apply cert to Intermediate Certificate Authority through GPO?

Thanks
0
Comment
Question by:dongocdung
  • 3
5 Comments
 
LVL 1

Assisted Solution

by:yourbts
yourbts earned 100 total points
ID: 24339402
You can't pulblish intermediate CA certs from WIndows 2003, but can from Windows 2008.

According to Joson Zhou with Microsoft...

"The functionality to import intermediate CA certificates using group policy is available in Windows Server 2008 but not in Windows Server 2003. For Windows 2003 domain, you could write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect. As long as the script is run under the System account it should work.

Certutil f addstore CA <intermediate CA name>.crt

Note: CA is the programmatic name of the Intermediate Certification Authorities store."

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/805285fe-98d7-490f-806a-681221c9ab73
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 400 total points
ID: 24339891
Normally deploying the root cert is good enough through GPO, however if necessary there are a few different methods:

1) Have users install manually (not realistic in most cases) - may require admin rights depending on your security settings.

2) Deploy via GPO under the Trusted Roots container

3) Create a logon script - usually too much work compared to the simple method of #2.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 400 total points
ID: 24339901
To explain a little more from my last post - if the client trusts the root CA cert that the cert is signed under, then the server that is offering the certificate for validation should have the entire certificate chain installed, if it does it will push the rest of the certs for the certificate chaining engine to use.  Also, the AIA should be defined for all CA certs except root, normally similar to the CDP locations.
0
 

Author Comment

by:dongocdung
ID: 24366142
If I installed the certs on one of the domain controlller. Will this replicate to the entire infrastructure?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 400 total points
ID: 24369426
Not sure I follow here.

A DC cert needs to be installed on each DC, this is usually done through autoenrollment if you have enterprise edition OS for your CA and it is running as enterprise CA.  Usually get domain controller authentication and directory email replication certs for each DC (maybe domain controller as well, but this should normally be superceded by default by domain controller authentication template).  Your AD should be at 2003 native mode if possible - if not then just the domain controller template will go through ACRS which is similar to autoenrollment 2000-style if you have 2000 DCs still for some unholy reason.

If you are talking about installed the root or intermediate cert - these should usually be pushed via GPO and will end up on all your domain machines like any other GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

http://technet.microsoft.com/en-us/library/cc738131.aspx

You can have the intermediate pushed to the root area just fine - usually not necessary, but it doesn't hurt any.  If you use a lot of mixed software then it might be worth it, most smaller companies don't need to worry about that, but then most smaller companies aren't rolling out policy CAs either.

If you install manually to the DC due to GPO restrictions to the DC OU, then you would need to repeat for each DC.

You might also want to run 'certutil -dspublish %certserialnumber% to publish it to AD, especially if you have an LDAP location in your AIA.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question