SubCA certificate of trust

Santyuste

8/8/24, 11:39 AM

I have deployed a PKI infrastructure with a Stand-Alone Root CA (which will be kept off) and 4 Enterprise SubCA's which depends on this Root CA. To make the computers trust the Root CA, I am going to send the Root CA certificate to the domain computers to be distributed from an AD GPO. The doubt I have is if I also have to distribute the certificates of the SubCA's on the respective computers that are going to use the certificates of this SUBCA.

Thanks

1 + 1

certificate

pki

certificate-authority

ad-certificate-services

windows-server-2012-r2

Greg Askew

8/8/24, 12:07 PM

Technically no, but it only takes a few minutes to test and confirm. https://security.stackexchange.com/questions/83874/in-order-to-trust-the-digital-certificate-does-immediate-ca-cert-also-needs-to

Score:0

Server

Jan

8/8/24, 1:55 PM

When you push the root out via GPO, I would also push the intermediate certificates.

Per RFC the application serving the certificate to the client is required to send the whole chain to the client. The root certificate may be omitted, but can also be included.

Now there might be some scenarios in which there will be problems in your environment:

An application is coded badly and sends only the machine certificate
A user uploaded a certificate (from the internal PKI) to an application, but is not aware that he has to upload the whole chain. This causes the application to only present the machine certificate to the client

To sum up you might experience problems, so I would just include the certificates in the same GPO.

+ 5

Santyuste

8/9/24, 6:16 AM

So it is necessary to distribute the RootCA certificate and the SUBCA certificate by GPO to the computers in order for them to trust these two CAs?

Jan

8/9/24, 7:27 AM

It is one way to do it. A certificate can also be published in the domain with command "certutil -dspublish -f root.crt RootCA" where root.crt is your certificate file of the root CA. This populates the certificate store of domain joined machines automatically. You have to do it for the Root when its standalone and not domain joined. I cannot remember doing the same step for the certificate of the intermediate CA, so I guess that cert might be included in the domain automatically when the intermediate CA is domain joined

Santyuste

8/17/24, 7:47 AM

To publish the certificate with the -dspublish command, is it not necessary to change the path in the CA server extensions first, can it be done without adding the LPAD path in the CA server extension? With this command the certificate is then distributed to the computers in the domain?

Jan

8/17/24, 8:13 AM

I did change any paths before executing the command and it worked as expected. However in our simple environment we regularly had to push the root CRL list manually via the same command because the RootCA was offline. So it might not be the optimal setup. But this command is how you would publish it.

Santyuste

8/17/24, 8:38 AM

If I add the LDAP path to the Standard CA server extensions, do I have to resend the root certificate to the SubCAs?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SubCA certificate of trust

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.