AD CS 2008 Group Policy - Why cant I import certificates from AD?

AD CS 2008 Group Policy - Why cant I import certificates from AD?

Post by Kristin Gr » Thu, 21 Feb 2008 08:50:54


Hi there,

I have been looking at AD CS group policy settings. It seems that it would
be nice to be able to add certificates to the available GP stores (for
certificate disper *** t) using AD. Meaning, if a certificate is published
to AD, then instead of having to import a certificate file, I could browse
and pull it from AD.
I am sure there are reasons why this is not available, or perhaps I
overlooked something?
Anyone have more insight?

Many thanks,

Kristin
 
 
 

AD CS 2008 Group Policy - Why cant I import certificates from AD?

Post by Brian Koma » Thu, 21 Feb 2008 09:49:44

You are duplicating effort with what you propose
The GPO for root certificate trust replicates the functionality of
certutil -dspublish <certfile> RootCA
The difference is the scope.
- Certutil -dspublish covers the entire forest
- GPO only affects the computers where the GPO is applied
It would really be pointless to browse AD to add a certificate to the root
trust GPO as it is already trusted by the computers in the forest
HTH,
Brian

 
 
 

AD CS 2008 Group Policy - Why cant I import certificates from AD?

Post by Kristin Gr » Fri, 22 Feb 2008 03:06:30

but what if I wanted to add certs to the "trusted people" category? That
would then result in those certificates being added to all domain users
trusted people stores, right? And would that not be easier if I could just
pull those certificates from AD?

Just because subject's certs are stored in AD, that does not make them
trusted to every one in the domain does it? And if it does, then why arent
the certificates published to AD then automatically added to users and
computer stores when someone logs into the domain? Or am i off base here?

thanks again,

Kristin
 
 
 

AD CS 2008 Group Policy - Why cant I import certificates from AD?

Post by Brian Koma » Fri, 22 Feb 2008 07:13:15

I have never user Trusted People at any of the deployments I have worked on.
I base all trust decisions on Root CAs, rather than on individuals (safer,
more standards based).
Also, individuals typically have more than one certificate, rendering
Trusted Person as not that useful

Trusted Person is intended for people outside of your organization, hence
they would not have a cert in your directory.
If the cert is in your directory, it was issued by your PKI, and your root
CA is a trusted root, so no need to designate a trusted person
Brian