Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in this fashion work to authenticate to the domain) ?
Asked
Active
Viewed 296 times
0
5y5tem5
- 51
- 1
- 3
-
For a real smart card PKI no. Issuing CA certificates are registered in the AD Enterprise NTAuth store. But if you have already gotten that far that step is fairly straightforward. – Greg Askew Jul 26 '21 at 20:34
1 Answers
1
If all computers in the domain trust the root CA, then by definition they will trust every certificate signed by it, including that of a new sub-CA.
However, if the new sub-CA is not AD-integrated, some computers or applications could have issues in validating the whole CA chain up to the root; in order to fix this, you can deploy the sub-CA's certificate as a Trusted Intermediate Certification Authority using a GPO.
Massimo
- 70,200
- 57
- 200
- 323
-
thank you, assuming this not AD-integrated CA's certificate is provided at authentication (certificate chain) or is available to the system that is handling authentication (say via AIA) then in that case it could be used login, correct? – 5y5tem5 Jul 26 '21 at 18:47
-
1This really depends on where and how you want to login. "Being signed by a trusted CA" and "being authorized to login" are two related but distinct things. The certificate would definitely be *trusted*; whether it would be *accepted* depends on who or what is doing the authentication. – Massimo Jul 26 '21 at 19:05