Score:0

PKI trust in Active Directory

gb flag

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in this fashion work to authenticate to the domain) ?

cn flag
For a real smart card PKI no. Issuing CA certificates are registered in the AD Enterprise NTAuth store. But if you have already gotten that far that step is fairly straightforward.
Score:1
ng flag

If all computers in the domain trust the root CA, then by definition they will trust every certificate signed by it, including that of a new sub-CA.

However, if the new sub-CA is not AD-integrated, some computers or applications could have issues in validating the whole CA chain up to the root; in order to fix this, you can deploy the sub-CA's certificate as a Trusted Intermediate Certification Authority using a GPO.

5y5tem5 avatar
gb flag
thank you, assuming this not AD-integrated CA's certificate is provided at authentication (certificate chain) or is available to the system that is handling authentication (say via AIA) then in that case it could be used login, correct?
Massimo avatar
ng flag
This really depends on where and how you want to login. "Being signed by a trusted CA" and "being authorized to login" are two related but distinct things. The certificate would definitely be *trusted*; whether it would be *accepted* depends on who or what is doing the authentication.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.