PKI trust in Active Directory

5y5tem5

11/26/22, 6:31 PM

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in this fashion work to authenticate to the domain) ?

1 + 1

active-directory

pki

certificate-authority

ad-certificate-services

active-directory-adcs

Greg Askew

11/26/22, 8:34 PM

For a real smart card PKI no. Issuing CA certificates are registered in the AD Enterprise NTAuth store. But if you have already gotten that far that step is fairly straightforward.

Score:1

Server

Massimo

11/26/22, 6:37 PM

If all computers in the domain trust the root CA, then by definition they will trust every certificate signed by it, including that of a new sub-CA.

However, if the new sub-CA is not AD-integrated, some computers or applications could have issues in validating the whole CA chain up to the root; in order to fix this, you can deploy the sub-CA's certificate as a Trusted Intermediate Certification Authority using a GPO.

0 + 2

5y5tem5

11/26/22, 6:47 PM

thank you, assuming this not AD-integrated CA's certificate is provided at authentication (certificate chain) or is available to the system that is handling authentication (say via AIA) then in that case it could be used login, correct?

Massimo

11/26/22, 7:05 PM

This really depends on where and how you want to login. "Being signed by a trusted CA" and "being authorized to login" are two related but distinct things. The certificate would definitely be *trusted*; whether it would be *accepted* depends on who or what is doing the authentication.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: PKI trust in Active Directory

TH: PKI เชื่อมั่นใน Active Directory

RO: PKI încredere în Active Directory

RU: Доверие PKI к Active Directory

VI: PKI tin tưởng vào Active Directory

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.