Re: Required Root CAs and CTLs

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 11/20/03


Date: Thu, 20 Nov 2003 05:32:35 -0800

No, you cannot add those to a CTL, they must be left in their native form.

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Lars Olaussen" <Isolauss@hotmail.com> wrote in message
news:%23kko6H1rDHA.1744@TK2MSFTNGP12.phx.gbl...
> In the MS Knowledge Base Article 293781 there is a list of 'Trusted Root
> Certificates That Are Required By Windows 2000'.
>
> Would it be possible to just add these root CAs to a Certificate Trust
> List made by the own PKI implementeted? Then all the root CAs shipped
> with Windows could be removed, and only the own PKI and PKIs signed in
> CTLs would be accepted at domain workstations.
>
> The first goal would be to require all drivers, applications etc to be
> digitally signed. Then require all PKIs issuing these certificates to be
> approved by the own root CA; never again have to worry about rogue
> drivers and applications being signed by untrusted 'Trusted Root
> Certificate'.
>
>
> Regards,
> Lars Olaussen
> Isolauss@hotmail.com
>
>


Relevant Pages

  • Re: Question regarding Certificate Trust Lists
    ... Trusted root certificates outweigh CTLs. ... was hoping I could also use a CTL for this. ... Both domains have enterprise subordinate CAs installed with the ...
    (microsoft.public.windows.server.security)
  • Re: Required Root CAs and CTLs
    ... This feature is available in Windows 2003 through cross certification. ... Windows 2003 domain group policy you have two choices for PKI ... > Would it be possible to just add these root CAs to a Certificate Trust ... Then require all PKIs issuing these certificates to be ...
    (microsoft.public.windows.server.security)
  • Re: why do X.509 certificates contain context-specific tags?
    ... checked, some of the root ... I personally encountered certificates with a subject DN where some of ... committee-based development which tries to tackle complexity by throwing ... This can be opposed to much simpler PKI ...
    (sci.crypt)
  • Re: Question regarding Certificate Trust Lists
    ... Since both CAs chain to the *same* trusted root, all certificates are trusted by any client within the two domains. ... Both domains have enterprise subordinate CAs installed with the subordinate CA certificate for both being issued by the same stand-alone root CA. ... My thinking was that I could accomplish what I want by adding domain B's CA cert to the CTL and require client certificates, thereby blocking access to the site from domain A's users. ...
    (microsoft.public.windows.server.security)
  • Required Root CAs and CTLs
    ... Certificates That Are Required By Windows 2000'. ... Would it be possible to just add these root CAs to a Certificate Trust ... List made by the own PKI implementeted? ...
    (microsoft.public.windows.server.security)