Root certificate authority no longer added to client machines

Discussion in 'Security Software' started by Stuart Hudman, Dec 15, 2006.

  1. I have read as many articles/KB that I can and would like some clarification
    if anyone can,
    PLEASE!!.

    We have a standalone RootCA, with Enterprise issuing CAs. We have ran
    DSpublish for the RootCA into the AD, but clients do not get entries added
    to
    their trusted store. From what I understand, and read many times, is things
    like: "When you install an enterprise root CA or a stand-alone root CA, the
    certificate of the CA is added automatically to the Trusted Root
    Certification Authorities Group Policy for the domain.". Well, if this is a
    standalone Root, how the heck does it put it into a GPO ? Another article
    states, that if the client is a domain member, then they will automatically
    receive the CAs in the trusted store....but negates to say how.

    So...in a complete Microsoft world (RootCA, SubEntCAs and clients)...how
    does the trusted store get populated on a client ? Do you need a GPO or not
    ? Is it a sub-process of auto-enrollment ?

    Thanks

    Stuart
     
    Stuart Hudman, Dec 15, 2006
    #1
    1. Advertisements

  2. Stuart Hudman

    Paul Adare Guest

    What OS is running on your domain controllers? If you're running
    Windows Server 2003 then you should be publishing the root
    certificate with certutil and not dspublish.

    If the standalone certificate is _properly_ published to the the
    directory then Group Policy will ensure that is installed on all
    Windows clients in the forest. Note that Group Policy is the
    publishing mechanism, there's no need to create a specific GPO
    to do this.
     
    Paul Adare, Dec 15, 2006
    #2
    1. Advertisements

  3. Stuart Hudman

    shudman Guest

    Thanks for the reply.
    All servers and DCs are Windows 2003 SP1.
    The commands I am running are :

    certutil -dspublish -f c:\rootca.crt RootCA
    certutil -dspublish -f c:\rootca.crl

    These are obviously done from a Ent Subordinate CA, which has connectivity
    to the AD. Re-running these, actually states that is it is already
    published (only cuz I tried again!).

    Stuart
     
    shudman, Dec 15, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.