?
Solved

Intermediate Certification Authority

Posted on 2009-05-08
5
Medium Priority
?
2,654 Views
Last Modified: 2012-08-13
I am planning to apply Intermediate Certificate Authority's certs to our servers using Group Policy. When I go to group policy Policy Object Name/Computer Configuration/Windows Settings/Security Settings/ Phulic Key Policies/, I don't see Intermediate Certification Authority folder.

Is there a way to apply cert to Intermediate Certificate Authority through GPO?

Thanks
0
Comment
Question by:dongocdung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 1

Assisted Solution

by:yourbts
yourbts earned 300 total points
ID: 24339402
You can't pulblish intermediate CA certs from WIndows 2003, but can from Windows 2008.

According to Joson Zhou with Microsoft...

"The functionality to import intermediate CA certificates using group policy is available in Windows Server 2008 but not in Windows Server 2003. For Windows 2003 domain, you could write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect. As long as the script is run under the System account it should work.

Certutil f addstore CA <intermediate CA name>.crt

Note: CA is the programmatic name of the Intermediate Certification Authorities store."

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/805285fe-98d7-490f-806a-681221c9ab73
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1200 total points
ID: 24339891
Normally deploying the root cert is good enough through GPO, however if necessary there are a few different methods:

1) Have users install manually (not realistic in most cases) - may require admin rights depending on your security settings.

2) Deploy via GPO under the Trusted Roots container

3) Create a logon script - usually too much work compared to the simple method of #2.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1200 total points
ID: 24339901
To explain a little more from my last post - if the client trusts the root CA cert that the cert is signed under, then the server that is offering the certificate for validation should have the entire certificate chain installed, if it does it will push the rest of the certs for the certificate chaining engine to use.  Also, the AIA should be defined for all CA certs except root, normally similar to the CDP locations.
0
 

Author Comment

by:dongocdung
ID: 24366142
If I installed the certs on one of the domain controlller. Will this replicate to the entire infrastructure?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1200 total points
ID: 24369426
Not sure I follow here.

A DC cert needs to be installed on each DC, this is usually done through autoenrollment if you have enterprise edition OS for your CA and it is running as enterprise CA.  Usually get domain controller authentication and directory email replication certs for each DC (maybe domain controller as well, but this should normally be superceded by default by domain controller authentication template).  Your AD should be at 2003 native mode if possible - if not then just the domain controller template will go through ACRS which is similar to autoenrollment 2000-style if you have 2000 DCs still for some unholy reason.

If you are talking about installed the root or intermediate cert - these should usually be pushed via GPO and will end up on all your domain machines like any other GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

http://technet.microsoft.com/en-us/library/cc738131.aspx

You can have the intermediate pushed to the root area just fine - usually not necessary, but it doesn't hurt any.  If you use a lot of mixed software then it might be worth it, most smaller companies don't need to worry about that, but then most smaller companies aren't rolling out policy CAs either.

If you install manually to the DC due to GPO restrictions to the DC OU, then you would need to repeat for each DC.

You might also want to run 'certutil -dspublish %certserialnumber% to publish it to AD, especially if you have an LDAP location in your AIA.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question