What are the risks associated with import of third-party Root CA certificate into the Enterprise NTAuth Store in Windows domain except that the CA is then trusted to issue certificates?
This is for test purpose to fix an issue with wireless clients getting a Windows Security Alert when connecting to a wireless network and being authenticated via new NPS server running on WS2012 R2.
The Root CA certificate is already present in computer store of the client machines under Trusted Root Certificate Authorities, but the window still appears on first connection attempt.
The goal is to get rid of the pop-up window:
EDIT: I will elaborate a little bit.
The goals:
- allow domain-joined devices to authenticate via NPS;
- use 3rd party certificate;
- users should not get Security Warning pop-up window;
NPS on WS2012R2 is used. PEAP/MsCHAPv2 used for authentication.
Best Answer
There are several points in the question.
First, NTAuth store is used to store *issuing* CA certificates that are eligible to issue logon certificates (when client certificate is mapped to a user account in Active Directory during authentication). If CA certificate is presented in this store, it will be able to issue certificates that can impersonate any user account. The risk is obvious and I wouldn't trust any CA that is out of company control.
Presented dialog informs that issuer of the presented RADIUS certificate is not configured in the *wireless/VPN* profile.
What you shall to do is to configure wireless connection as follows:
in field 2, you can specify a hard-coded list of trusted RADIUS servers. In field 3, you can specify trusted root authorities that are allowed to issue certificates to RADIUS servers for this profile.
In other words, if you connect to RADIUS specified in field 2 and RADIUS certificate chains up to any selected root CA in field 3, then you will connect silently (without warning dialog). If any of the requirement do not meet, then you will recieve warning dialog.
In domain environment, you can preconfigure wireless profiles by using group policies: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx