Solved

Intermediate Certification Authority

Posted on 2009-05-08
5
2,606 Views
Last Modified: 2012-08-13
I am planning to apply Intermediate Certificate Authority's certs to our servers using Group Policy. When I go to group policy Policy Object Name/Computer Configuration/Windows Settings/Security Settings/ Phulic Key Policies/, I don't see Intermediate Certification Authority folder.

Is there a way to apply cert to Intermediate Certificate Authority through GPO?

Thanks
0
Comment
Question by:dongocdung
  • 3
5 Comments
 
LVL 1

Assisted Solution

by:yourbts
yourbts earned 100 total points
ID: 24339402
You can't pulblish intermediate CA certs from WIndows 2003, but can from Windows 2008.

According to Joson Zhou with Microsoft...

"The functionality to import intermediate CA certificates using group policy is available in Windows Server 2008 but not in Windows Server 2003. For Windows 2003 domain, you could write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect. As long as the script is run under the System account it should work.

Certutil f addstore CA <intermediate CA name>.crt

Note: CA is the programmatic name of the Intermediate Certification Authorities store."

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/805285fe-98d7-490f-806a-681221c9ab73
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 400 total points
ID: 24339891
Normally deploying the root cert is good enough through GPO, however if necessary there are a few different methods:

1) Have users install manually (not realistic in most cases) - may require admin rights depending on your security settings.

2) Deploy via GPO under the Trusted Roots container

3) Create a logon script - usually too much work compared to the simple method of #2.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 400 total points
ID: 24339901
To explain a little more from my last post - if the client trusts the root CA cert that the cert is signed under, then the server that is offering the certificate for validation should have the entire certificate chain installed, if it does it will push the rest of the certs for the certificate chaining engine to use.  Also, the AIA should be defined for all CA certs except root, normally similar to the CDP locations.
0
 

Author Comment

by:dongocdung
ID: 24366142
If I installed the certs on one of the domain controlller. Will this replicate to the entire infrastructure?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 400 total points
ID: 24369426
Not sure I follow here.

A DC cert needs to be installed on each DC, this is usually done through autoenrollment if you have enterprise edition OS for your CA and it is running as enterprise CA.  Usually get domain controller authentication and directory email replication certs for each DC (maybe domain controller as well, but this should normally be superceded by default by domain controller authentication template).  Your AD should be at 2003 native mode if possible - if not then just the domain controller template will go through ACRS which is similar to autoenrollment 2000-style if you have 2000 DCs still for some unholy reason.

If you are talking about installed the root or intermediate cert - these should usually be pushed via GPO and will end up on all your domain machines like any other GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

http://technet.microsoft.com/en-us/library/cc738131.aspx

You can have the intermediate pushed to the root area just fine - usually not necessary, but it doesn't hurt any.  If you use a lot of mixed software then it might be worth it, most smaller companies don't need to worry about that, but then most smaller companies aren't rolling out policy CAs either.

If you install manually to the DC due to GPO restrictions to the DC OU, then you would need to repeat for each DC.

You might also want to run 'certutil -dspublish %certserialnumber% to publish it to AD, especially if you have an LDAP location in your AIA.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question