How to create cross certificates (or bridge CAs) in ADCS

ad-certificate-servicescertificate-authoritypki

I'm trying to set up a trust between 2 untrusting forests, and I'd like to use either a cross-certificate or Bridge CA solution (not using AD trusts or CEP). I've found loads of advice saying that this can be done, but I can find anything on how to actually do it.

(pics don't appear to be showing – here they are in a Google slides:3 pics from below)

Here's what I have:
2 forests no trust

I'd like to add a trust like this:
Added cross certification

To achieve this:
enter image description here

Having drawn these pictures I can see I'm missing something in that I can't see how or where the cross certification link would be stored.

So far I've completely failed to make one CA sign anything (certificate, CA, req) originating from another CA's hierarchy. Am I going about this the right way? Any pointers as to how to cross sign anything, or whether my diagrams are correct would be great. I'm sorry this is a bit vague, but I'm really not sure which way to go here.

thanks,

Jim

Best Answer

Ok, seems like there is nothing about forest trust which is related to Active Directory, not PKI. PKI trust and AD trust are different things. What yo are showing in diagrams is qualified PKI trust and they seem correct and valid.

In short, you need simple qualified subordination. Bridge CA is suitable when there are more than 3 participants in a PKI trust. You issue a cross-certificate against relying party's CA and distribute this certificate across your forest members. During this process you will have to plan it:

  • what types of certificates (by EKU) you will accept?
  • are there specific certificate policies you want to map?
  • what namespaces you will trust?
  • and so on

When all trust conditions are defined your steps are as follows:

  • obtain relying party's CA certificate
  • prepare policy.inf file and define trust conditions (application policy constraints, certificate policy constraints, policy mappings if any, name constraints, etc.)
  • use certreq -policy path\remotecacert.cer path\policy.inf path\policy.req command to generate cross-certificate request
  • submit it to your local CA server and issue the certificate
  • distribute the certificate across all AD forest members by publishing it in AD: certutil -dspublish -f crosscert.cer CrossCA. If necessary, distribute the certificate to non-domain members (either, manually, or MDM software).

Unfortunately, Microsoft has buried a lot of great whitepapers and didn't update them to new versions and the article is not easy to find. However, you can download entire Windows Server 2003 Retired Content archive and find the subject called "Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003". This section will provide all required details about the subject in depth.

Related Topic