Is it possible to get windows to trust a certificate, without getting it to trust the root CA as a trusted root CA?
say I have the following certificate chain,
Dept-Root-CA
Dept-Intermediate-1
Server-Certificate
I want to trust the Server-Certificate, but do not want to trust Dept-Root-CA because then it could sign any certificate and my servers would trust it. Just because I am willing to trust the certificate on Server-Certificate for a specific operation, doesn't mean I'm willing to trust that Dept-Root-CA has been properly secured.
thanks
Best Answer
No. As long as the certificate says "Issued by: xxx" then you must also trust xxx, all the way up the chain. If it is a self-signed certificate, you could put it in the Trusted Root CAs store, and since it is issued to and issued by the same entity, it should be trusted then.
But no it's not generally do-able or advisible to completely circumvent the entire purpose of certificate-based security.