Click here to get back home

Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ? Pascal 03-26-2008
Posted by Pascal on March 26, 2008, 6:20 am
Please log in for more thread options
 Hi,

we are planning to deploy a certificate hierarchy.

First, we will have a Root CA (standalone Offline) and a subordinate CA
(enterprise online integrated to AD).

My question is which certificate should I have to deploy to my computer
Trusted Root Certification Authorities Store ? The Root CA or the
Subordinate CA ?

I have read in Microsoft website that it should be the Root CA
certificate (and not the Subordinate CA) but I dont understand why !

Indeed, imagine that in the future we decide to install a new
subordinate Enterprise CA (child of the Root CA, so a brother of the
first subordinate CA) for a new acquired company;

If we have installed the Root CA in our domain member computers, then
they will trust every certificate delivered by the new subordinate
Enterprise CA, am I right ?
This is not very nice as the new sub enterprise CA is not defined to
trust computers for the "whole company" but just for the newly acquired
company.

Please could you tell me what do you think about that ?

Thanks

--
Pascal



Posted by Brian Komar \(MVP\) on March 26, 2008, 6:48 am
Please log in for more thread options
 This is basic PKI. Trust is established at the root.
If the CA is a subordinate of a trusted root, you trust the CA.
I would recommend reading Polk and Housley
Brian

> Hi,
>
> we are planning to deploy a certificate hierarchy.
>
> First, we will have a Root CA (standalone Offline) and a subordinate CA
> (enterprise online integrated to AD).
>
> My question is which certificate should I have to deploy to my computer
> Trusted Root Certification Authorities Store ? The Root CA or the
> Subordinate CA ?
>
> I have read in Microsoft website that it should be the Root CA certificate
> (and not the Subordinate CA) but I dont understand why !
>
> Indeed, imagine that in the future we decide to install a new subordinate
> Enterprise CA (child of the Root CA, so a brother of the first
> subordinate CA) for a new acquired company;
>
> If we have installed the Root CA in our domain member computers, then they
> will trust every certificate delivered by the new subordinate Enterprise
> CA, am I right ?
> This is not very nice as the new sub enterprise CA is not defined to trust
> computers for the "whole company" but just for the newly acquired company.
>
> Please could you tell me what do you think about that ?
>
> Thanks
>
> --
> Pascal
>
>


Posted by Pascal on March 26, 2008, 6:51 am
Please log in for more thread options
Thank you for your answer.

In Microsoft website it is written :
"Only root CA certificates must be trusted and registered on client
computers. Do not add subordinate CA certificates to the Group Policy
trust, because intermediate and issuing CAs certificates may not be
explicitly trusted."

Source :
http://technet2.microsoft.com/windowsserver/en/library/e1f11ddb-759b-4f58-90b7-3d32f124d3bc1033.mspx?mfr=true

So I am not understanding that I have to trust the subordinate CA as
you said.

Thanks

> This is basic PKI. Trust is established at the root.
> If the CA is a subordinate of a trusted root, you trust the CA.
> I would recommend reading Polk and Housley
> Brian
>
>> Hi,
>>
>> we are planning to deploy a certificate hierarchy.
>>
>> First, we will have a Root CA (standalone Offline) and a subordinate CA
>> (enterprise online integrated to AD).
>>
>> My question is which certificate should I have to deploy to my computer
>> Trusted Root Certification Authorities Store ? The Root CA or the
>> Subordinate CA ?
>>
>> I have read in Microsoft website that it should be the Root CA certificate
>> (and not the Subordinate CA) but I dont understand why !
>>
>> Indeed, imagine that in the future we decide to install a new subordinate
>> Enterprise CA (child of the Root CA, so a brother of the first subordinate
>> CA) for a new acquired company;
>>
>> If we have installed the Root CA in our domain member computers, then they
>> will trust every certificate delivered by the new subordinate Enterprise
>> CA, am I right ?
>> This is not very nice as the new sub enterprise CA is not defined to trust
>> computers for the "whole company" but just for the newly acquired company.
>>
>> Please could you tell me what do you think about that ?
>>
>> Thanks
>>
>> -- Pascal
>>
>>

--
Pascal



Posted by Brian Komar \(MVP\) on March 26, 2008, 7:37 am
Please log in for more thread options
If a subordinate chains to a trusted root CA, then it is also trusted.
Best bet is for your to read the certificate revocation and status checking
whitepaper that describes how certificates are verified.
http://technet.microsoft.com/en-us/library/bb457027.aspx
PKI is based on root trust.
If you trust the root CA, you trust *ALL* subordinate CAs, no matter how
deep the hierarchy (by default)
Brian

please
> Thank you for your answer.
>
> In Microsoft website it is written :
> "Only root CA certificates must be trusted and registered on client
> computers. Do not add subordinate CA certificates to the Group Policy
> trust, because intermediate and issuing CAs certificates may not be
> explicitly trusted."
>
> Source :
>
http://technet2.microsoft.com/windowsserver/en/library/e1f11ddb-759b-4f58-90b7-3d32f124d3bc1033.mspx?mfr=true
>
> So I am not understanding that I have to trust the subordinate CA as you
> said.
>
> Thanks
>
>> This is basic PKI. Trust is established at the root.
>> If the CA is a subordinate of a trusted root, you trust the CA.
>> I would recommend reading Polk and Housley
>> Brian
>>
>>> Hi,
>>>
>>> we are planning to deploy a certificate hierarchy.
>>>
>>> First, we will have a Root CA (standalone Offline) and a subordinate CA
>>> (enterprise online integrated to AD).
>>>
>>> My question is which certificate should I have to deploy to my computer
>>> Trusted Root Certification Authorities Store ? The Root CA or the
>>> Subordinate CA ?
>>>
>>> I have read in Microsoft website that it should be the Root CA
>>> certificate (and not the Subordinate CA) but I dont understand why !
>>>
>>> Indeed, imagine that in the future we decide to install a new
>>> subordinate Enterprise CA (child of the Root CA, so a brother of the
>>> first subordinate CA) for a new acquired company;
>>>
>>> If we have installed the Root CA in our domain member computers, then
>>> they will trust every certificate delivered by the new subordinate
>>> Enterprise CA, am I right ?
>>> This is not very nice as the new sub enterprise CA is not defined to
>>> trust computers for the "whole company" but just for the newly acquired
>>> company.
>>>
>>> Please could you tell me what do you think about that ?
>>>
>>> Thanks
>>>
>>> -- Pascal
>>>
>>>
>
> --
> Pascal
>
>


Posted by Pascal on March 26, 2008, 8:58 am
Please log in for more thread options
Yes I agree with you and perhaps you dont understand my question as I
dont have a fluent english.

I have understood too that if I install the Root CA cert, I will trust
every subordinate CA even if I dont have their certificates installed.

But my question is "why does Microsoft recommend to install the root CA
and not only the subordinate CA on client computers as if just the
subordinate CA is installed on them, then ONLY certificates delivered
by this subordinate will be trusted.

However, if we install the root CA certificate on computer, EVERY
certicates by EVERY CA subordinate will be trusted

Do you understand my question ?

Thanks

> Best bet is for your to read the certificate revocation and status checking

--
Pascal



Similar ThreadsPosted
Urgent - Subordinate CA certificate expired April 2, 2007, 12:04 pm
Win2003 PKI : Subordinate CA certificate parameter September 11, 2007, 8:33 am
Deploy Root CA to 98 August 17, 2005, 3:01 pm
Root Certificate Authority October 22, 2006, 6:35 am
How to re-issue root CA certificate February 5, 2007, 8:50 pm
CDP in root certificate when renewed July 25, 2008, 5:34 am
Demote Root CA to subordinate - lose existing certs? February 26, 2008, 11:28 pm
How to tell if Certificate Authority is root, stand-alone or? February 8, 2007, 10:27 am
Offline CA Root certificate invisble in AD March 21, 2007, 3:48 pm
Remove Certificate services (Root CA) November 1, 2007, 1:38 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap