Re: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?

On Wed, 26 Mar 2008 13:58:22 +0100, Pascal wrote:

Yes I agree with you and perhaps you dont understand my question as I
dont have a fluent english.

I have understood too that if I install the Root CA cert, I will trust
every subordinate CA even if I dont have their certificates installed.

But my question is "why does Microsoft recommend to install the root CA
and not only the subordinate CA on client computers as if just the
subordinate CA is installed on them, then ONLY certificates delivered
by this subordinate will be trusted.

If you don't trust the root then you by definition don't trust any part of
the chain. Simply installing a subordinate CA certificate on a client
computer is not enough. It isn't the process of installing a subordinate CA
certificate that completes the chain of trust, it is the fact that you
trust the root.


However, if we install the root CA certificate on computer, EVERY
certicates by EVERY CA subordinate will be trusted

Do you understand my question ?

If you don't trust the root, you don't trust any part of the PKI.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Software is to computers as yeast is to dough. -- Chuck Bradshaw
.

Relevant Pages

  • Re: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
    ... If the CA is a subordinate of a trusted root, ... we will have a Root CA and a subordinate CA. ... My question is which certificate should I have to deploy to my computer Trusted Root Certification Authorities Store? ...
    (microsoft.public.windows.server.security)
  • Re: Microsoft Security Bulletin MS02-052
    ... You'd need to extract the files and find the ... > the root of the distribution--hmm, and running it doesn't even blow away the ... Well, I did an InCtrl on a 3805 install on top of a existing 3807 install, and a ... I would not trust this is all good. ...
    (microsoft.public.security)
  • Re: Microsoft Security Bulletin MS02-052
    ... You'd need to extract the files and find the ... > the root of the distribution--hmm, and running it doesn't even blow away the ... Well, I did an InCtrl on a 3805 install on top of a existing 3807 install, and a ... I would not trust this is all good. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Microsoft Security Bulletin MS02-052
    ... You'd need to extract the files and find the ... > the root of the distribution--hmm, and running it doesn't even blow away the ... Well, I did an InCtrl on a 3805 install on top of a existing 3807 install, and a ... I would not trust this is all good. ...
    (microsoft.public.win2000.security)
  • Re: OWA and SSL - Confused...
    ... Can I install the root & subordinate on the same server?? ... > deployment, you'd install a root, which would be highly secure, and likely ...
    (microsoft.public.inetserver.iis.security)