Re: Question regarding Certificate Trust Lists

Brian,

Thanks for the reply. If I understand your response correctly, I should be
looking at certificates just to verify the users' identity and some other
mechanism to authorize access to the web site. Would that be correct?

Thanks again.

"Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx> wrote in message
news:0BE96C0B-FA9C-4DDE-9E3F-37927992E810@xxxxxxxxxxxxxxxx
Your whole idea if flawed.
Trusted root certificates outweigh CTLs.
Since both CAs chain to the *same* trusted root, all certificates are
trusted by any client within the two domains.
Brian

"DLN" <dnadon_nospm@xxxxxxxxxxx> wrote in message
news:OSte527KIHA.5764@xxxxxxxxxxxxxxxxxxxxxxx
Hello all,

I have two Windows domains (domain "A" and domain "B", for the sake of
simplicity) with web servers sitting in both domains. I would like to be
able to secure all the sites in both domains using CTLs, but there is a
single site in domain B that I need to prevent users in domain A from
accessing. Anonymous access to this site needs to stay enabled (for
various reasons, I can't enable Windows authentication on the site). I
was hoping I could also use a CTL for this.

Both domains have enterprise subordinate CAs installed with the
subordinate CA certificate for both being issued by the same stand-alone
root CA. My thinking was that I could accomplish what I want by adding
domain B's CA cert to the CTL and require client certificates, thereby
blocking access to the site from domain A's users. The problem I'm
running into is that in order to create a CTL, I can only add the root CA
to the CTL. If I attempt to add the domain B's subordinate CA
certificate to the CTL, I receive a "Only self-signed certificates are
added to the CTL" from the IIS CTL wizard.

If I correctly understand the information I'm reading regarding CTLs,
only root CAs are allowed, so the error message I'm getting from the IIS
CTL wizard is valid, but it doesn't solve my problem. If I add the root
CA to the CTL, it'll accept certificates issued from the CAs in either
domain. Is there a way to create a CTL that includes a subordinate CA
only, or am I going to have to find a different mechanism to accomplish
what I need?

Thanks.




.

Relevant Pages

  • Re: Required Root CAs and CTLs
    ... No, you cannot add those to a CTL, they must be left in their native form. ... > Would it be possible to just add these root CAs to a Certificate Trust ... > List made by the own PKI implementeted? ... Then require all PKIs issuing these certificates to be ...
    (microsoft.public.windows.server.security)
  • Certificate Question
    ... You have to have a root CA and a subordinate CA. ... The issuing CA is the subordinate. ... >be using eTokens side by side with certificates for 2 ...
    (microsoft.public.win2000.security)
  • Re: Question regarding Certificate Trust Lists
    ... Since both CAs chain to the *same* trusted root, all certificates are trusted by any client within the two domains. ... Both domains have enterprise subordinate CAs installed with the subordinate CA certificate for both being issued by the same stand-alone root CA. ... My thinking was that I could accomplish what I want by adding domain B's CA cert to the CTL and require client certificates, thereby blocking access to the site from domain A's users. ...
    (microsoft.public.windows.server.security)
  • RE: PKI V2 Certificates OS level
    ... certificates) you must publish the templates on a 2003 Enterprise Edition ... Generally speaking you would use a Stand-Alone Root CA running Windows ... The root ca is in no way used to issue a certificate on the subordinate ca. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Certificates Trust List
    ... in my test CTL and Outlook work ok if win2k pro installed with sp3. ... chain are templates version 2 certificates. ... > Hard to tell what the problem might be, but you might be able to use CAPIMON ... >> Here it is the problem with ctl to another organization root cert. ...
    (microsoft.public.windows.server.security)