I haven't seen a post related to this question but if one already exists please link the answer. If I purchase a 3rd party domain wildcard certificate and install it on an AD integrated CS server is there a potential for a security compromise coming from the trusted 3rd party vendor? I'm assuming they will hold the root certificate and not my organization, and I understand they have very tight security measures, but it seems like it simply adds an additional point of failure for the entire forest. Simply setting up my own root authority to issue to subordinate authorities seems simple enough. (Take down the root and backup at multiple secure sites) For public facing services I completely understand why you would need trusted certs. But for the whole domain I do not understand the added benefit. My second question, if my domain client computer's certificates are trusted by non-organization computers does it compromise security? Example: Clienta.NWTraders.com has a trusted 3rd party computer cert and ClientB.Consoto.com has different trusted 3rd party certificate. Would ClientA be able to connect to ClientB via IPSec, and compromise certain firewall rules? I'm still pretty new at certificate services and I know these are paranoid questions, but these hypotheticals will help my understanding. Thanks in advance.If it doesnt work enable everything, blame software errors and rebuild

First of all, a commercial provider will *never* provide your CA with a wildcard certificate allowing it to function as a subordinate CA.... ever. Second, PKI is all about root trust. Yes, the two clients could set up that they trust each others root CA certificates. The question is - Will your firewall allow a client from an outside org to connect to a client computer on your internal network using IPSec.... I highly doubt it. Brian

Thanks Brian, I guess I misunderstood the practical application of a wildcard certificate. I assumed it was a cert issued for your internal CA which was the cause of my IPsec concerns. I understand now a wildcard would only be purchased to simplify certificate issuance of public facing servers and wouldn’t be used as a security mechanism for EFS or IPsec. Thanks :-)If it doesnt work enable everything, blame software errors and rebuild