Active Directory – Trust Code Signing Certificates Across Domain

active-directoryad-certificate-servicescertificatecertificate-authority

We have a Microsoft enterprise certificate authority, and I would like to start issuing a few code signing certificates.

But what I'm unsure of is this: since all our domain/forest machines trust the internal CA, when I issue code signing certificates: will all the client systems automagically trust the code signing certs for executing any code, or do I need to add the individual users' code signing certs to the clients' "Trusted People" store (like you might do with their self-signed or third-party certs)?

Best Answer

If you issue the certificates using a trusted CA, then all these certificates will be trusted by your machines. You can have a look at this page.

Related Solutions

How to autoenroll certificates from a Certification Authority in a trusted domain

Cross forest enrollment can be accomplished by following the guide located at http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx. This copies the templates and security principals required to support AutoEnrollment.

Caveat: I have only used this to support Web Enrollment, so I have not personally verified that it can be pushed via group policy. That being said, if it can't, I know it can be done via a startup script that calls CertUtil.

Trusted root certificate being automatically removed from store

Doing more thorough digging in the Application event log, this entry occured:

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          24/10/2014 12:49:10
Event ID:      4108
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      [redacted]
Description:
Successful auto delete of third-party root certificate:: Subject [...redacted...]

It turns out that 3rd party root CA's can be deleted by Windows if they are not recognised:

Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.

http://toastergremlin.com/?p=144

Best Answer

Related Solutions

How to autoenroll certificates from a Certification Authority in a trusted domain

Trusted root certificate being automatically removed from store

Related Topic