How to create cross certificates (or bridge CAs) in ADCS?

Question

I'm trying to set up a trust between 2 untrusting forests, and I'd like to use either a cross-certificate or Bridge CA solution (not using AD trusts or CEP). I've found loads of advice saying that this can be done, but I can find anything on how to actually do it.

(pics don't appear to be showing - here they are in a Google slides:3 pics from below)

Here's what I have:

I'd like to add a trust like this:

To achieve this:

Having drawn these pictures I can see I'm missing something in that I can't see how or where the cross certification link would be stored.

So far I've completely failed to make one CA sign anything (certificate, CA, req) originating from another CA's hierarchy. Am I going about this the right way? Any pointers as to how to cross sign anything, or whether my diagrams are correct would be great. I'm sorry this is a bit vague, but I'm really not sure which way to go here.

thanks,

Jim

And can you add more details on what you have now and what goals you want to achieve in a result? — Crypt32, Nov 08 '17 at 18:26

score 2 · Accepted Answer · answered Nov 09 '17 at 19:21

Ok, seems like there is nothing about forest trust which is related to Active Directory, not PKI. PKI trust and AD trust are different things. What yo are showing in diagrams is qualified PKI trust and they seem correct and valid.

In short, you need simple qualified subordination. Bridge CA is suitable when there are more than 3 participants in a PKI trust. You issue a cross-certificate against relying party's CA and distribute this certificate across your forest members. During this process you will have to plan it:

what types of certificates (by EKU) you will accept?
are there specific certificate policies you want to map?
what namespaces you will trust?
and so on

When all trust conditions are defined your steps are as follows:

obtain relying party's CA certificate
prepare policy.inf file and define trust conditions (application policy constraints, certificate policy constraints, policy mappings if any, name constraints, etc.)
use certreq -policy path\remotecacert.cer path\policy.inf path\policy.req command to generate cross-certificate request
submit it to your local CA server and issue the certificate
distribute the certificate across all AD forest members by publishing it in AD: certutil -dspublish -f crosscert.cer CrossCA. If necessary, distribute the certificate to non-domain members (either, manually, or MDM software).

Unfortunately, Microsoft has buried a lot of great whitepapers and didn't update them to new versions and the article is not easy to find. However, you can download entire Windows Server 2003 Retired Content archive and find the subject called "Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003". This section will provide all required details about the subject in depth.

This doc is exactly what I am looking for... why have MS mothballed all these guides? I'll work my way through this and write up what I did for future reference. Thanks for your help! — Jim ReesPotter, Nov 10 '17 at 12:07

user185953 · Answer 2 · 2019-03-13T18:00:18.487

Comment to the accepted answer.

MS has resurfaced this particular whitepaper here: https://technet.microsoft.com/library/cc787237(v=ws.10)

To anyone who wants to understand cross-certification quickly I recomend the illustrations in this section of the forementioned paper: https://technet.microsoft.com/library/cc785267(v=ws.10)#cross-certification-between-root-cas Namely, it nicely illustrates that cross-certification creates an "alternative" certificate for the cross-certified CA.

score 0 · Answer 3 · answered Dec 12 '17 at 13:14

0

I also found this site which explains it really clearly:

https://haelters.wordpress.com/2016/12/15/cross-certification-with-constraints-using-windows-server-part-2/

answered Dec 12 '17 at 13:14

Jim ReesPotter

308
2
10

How to create cross certificates (or bridge CAs) in ADCS?

3 Answers3