PKI trust in Active Directory

pki active-directory certificate-authority ad-certificate-services active-directory-adcs

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in this fashion work to authenticate to the domain) ?


Solution 1:

If all computers in the domain trust the root CA, then by definition they will trust every certificate signed by it, including that of a new sub-CA.

However, if the new sub-CA is not AD-integrated, some computers or applications could have issues in validating the whole CA chain up to the root; in order to fix this, you can deploy the sub-CA's certificate as a Trusted Intermediate Certification Authority using a GPO.

Related

MQTT certificates verification fails
Is it possible to remove my domain controller and switch to a simpler Windows network?
Gcloud cannot detect network connection
ntpd does not sync clock if it gets internet connection little late
What is the link between the quotient and the Bézout coefficients in the Extended Euclidean Algorithm?
Show that if a function is not negative and its integral is $0$ than the function is $0$
Solve Linear Least Squares Problem with Unit Simplex Constraint
Problem about solvable groups
Proving $f' = - \frac{\partial{F}/\partial{x}}{\partial{F}/\partial{y}}$
Proving that the given set has at most $2^{n-1}$ elements
Bijection $f:\mathcal{P}(A)\to(A\to \{0,1\})$
Proper map not closed