Export Enterprise CA cert for use by non-domain members as Trusted Certificate Authority?

We have set up a 2 tier internal CA and plan to implement a GPO to add the offline root CA as a trusted certificate authority.  

The Enterprise Sub CA will issue certificates used for many purposes.  Do we also need to create another GPO for clients to trust the Sub CA?

For computers not joined to our domain, what is the correct way to make these clients trust the certificates issued by the Sub CA (for the "validate server certificate" setting in wireless configuration, for Exchange certificate based authentication and for Intranet web sites that may use an SSL cert issued by the Sub CA)?

I assume we export the certificate to a file and then import that file into these computers, but exactly how?  Which certificate do we export?  The offline Root's certificate or the Sub CA's certificate and what is the procedure to export it to a file format usable by nonmembers of our domain?


August 24th, 2015 12:04am

On Mon, 24 Aug 2015 04:02:46 +0000, MyGposts wrote:

We have set up a 2 tier internal CA and plan to implement a GPO to add the offline root CA as a trusted certificate authority.  

This really isn't the correct approach. The better way to do this is to
enable autoenrollment and then simply publish the root CA certificate to AD
using certutil. All forest members will then automatically download the
cert.


The Enterprise Sub CA will issue certificates used for many purposes.  
Do we also need to create another GPO for clients to trust the Sub CA?

No, they will download the Sub CA certificate as required from the AIA
location you've specified.


For computers not joined to our domain, what is the correct way to make these clients trust the certificates issued by the Sub CA (for the "validate server certificate" setting in wireless configuration, for Exchange certificate based authentication and for Intranet web sites that may use an SSL cert issued by the Sub CA)?

I assume we export the certificate to a file and then import that file into these computers, but exactly how?  Which certificate do we export?  The offline Root's certificate or the Sub CA's certificate and what is the procedure to export it to a file format usable by nonmembers of our domain?

You need to export the root CA cert in either DRE or Base 64 format.

You also need to look at both your AIA and CDP locations. If you've
specified AD as the locations for these you're going to have problems as
non-domain members won't be able to access those locations in AD. You need
to use HTTP locations for non-domain me

Free Windows Admin Tool Kit Click here and download it now
August 24th, 2015 1:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics