Re: Root certificate authority no longer added to client machines

In article <OJNXItEIHHA.3616@xxxxxxxxxxxxxxxxxxxx>, in the
microsoft.public.security news group, Stuart Hudman <a@xxxxx>
says...

I have read as many articles/KB that I can and would like some clarification
if anyone can,
PLEASE!!.

We have a standalone RootCA, with Enterprise issuing CAs. We have ran
DSpublish for the RootCA into the AD, but clients do not get entries added
to
their trusted store.

What OS is running on your domain controllers? If you're running
Windows Server 2003 then you should be publishing the root
certificate with certutil and not dspublish.


From what I understand, and read many times, is things
like: "When you install an enterprise root CA or a stand-alone root CA, the
certificate of the CA is added automatically to the Trusted Root
Certification Authorities Group Policy for the domain.". Well, if this is a
standalone Root, how the heck does it put it into a GPO ? Another article
states, that if the client is a domain member, then they will automatically
receive the CAs in the trusted store....but negates to say how.

So...in a complete Microsoft world (RootCA, SubEntCAs and clients)...how
does the trusted store get populated on a client ? Do you need a GPO or not
? Is it a sub-process of auto-enrollment ?

If the standalone certificate is _properly_ published to the the
directory then Group Policy will ensure that is installed on all
Windows clients in the forest. Note that Group Policy is the
publishing mechanism, there's no need to create a specific GPO
to do this.


--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

.

Relevant Pages

  • Re: "unpuiblish" a certutil -dspublish d ca
    ... the SubCA versus RootCA. ... Is there anyway I can remove the "subCA-ness" of my Root CA without ... CA certificate to the Certification Authorities *and* ... When you use -dspublish with SubCA, ...
    (microsoft.public.security)
  • Re: Need advice for CA Model
    ... The root CA must be trusted on all the clients that will enroll to the ... certificates, each certificate must correspond to a user in AD with a UPN ... The enterprise CA automatically creates ... The second CA was a standalone ...
    (microsoft.public.win2000.security)
  • Re: Enterprise, Sub-ordinate or Standalone
    ... Is it standalone or enterprise?... ... Certificate Templates folder in the Certification Authority MMC snap- ... Windows SKU you're on. ... Is it a root or sub-ordinate?... ...
    (microsoft.public.windows.server.security)
  • Re: Need advice for CA Model
    ... > David, I see what you are saying and that makes sense. ... The certificate chain was issued by> an untrusted authority? ... >>> The original PKI model was a Root Enterprise CA, this is being used for>>> certificates for all internal users. ... The second CA was a standalone>>> subordinate, this was planned to be used for issuing users from outside>> the ...
    (microsoft.public.win2000.security)
  • Re: Certificate services
    ... No, that's why it is a ROOT CA - nobody is above it, it issues and self- ... signs its certificate. ... CA the parent of which is a standalone. ... When you design a CA hierarchy ...
    (microsoft.public.windows.server.active_directory)