Is it possible to trust a certificate in windows, without trusting its root CA?

windows ssl

Is it possible to get windows to trust a certificate, without getting it to trust the root CA as a trusted root CA?

say I have the following certificate chain,

Dept-Root-CA
Dept-Intermediate-1
Server-Certificate

I want to trust the Server-Certificate, but do not want to trust Dept-Root-CA because then it could sign any certificate and my servers would trust it. Just because I am willing to trust the certificate on Server-Certificate for a specific operation, doesn't mean I'm willing to trust that Dept-Root-CA has been properly secured.

thanks


No. As long as the certificate says "Issued by: xxx" then you must also trust xxx, all the way up the chain. If it is a self-signed certificate, you could put it in the Trusted Root CAs store, and since it is issued to and issued by the same entity, it should be trusted then.

But no it's not generally do-able or advisible to completely circumvent the entire purpose of certificate-based security.


Well.... You could capture that trust information in another way.

It is, unfortunately, a bit complicated.

Create your own CA, then create your own cross-signing issuer for Dept-Intermediate-1 (or Dept-Root-CA) by signing their cert with your CA, possibly adding domain restrictions. If the "real" Dep-Intermediate-1 is deactivated (preferably) or unknown, windows will use your trust chain instead.

See my other answer here: Restrict a root certificate to a domain

This is how certificates are supposed to work, using digital signatures to represent an assertion of key ownership. Since you want to assert the cert and key belongs to the server, you sign it yourself, under your authority, and then tell the system to trust you.

There's still a lot of utility in a certificate without a CA hierarchy, above what SSH keys provide; part of that is the restrictions on them. Key usage, validity dates, revocation information, domain restrictions, etc.. The other part is the identifying information; server which owns the key, identity of the issuer, CA policies enforced, key storage information, etc.

Related

List the current configuration of nginx server [duplicate]
Bash Prompt Below Output - Background Log Tail
Is there a Wikipedia API just for retrieve the content summary?
Could not change executable permissions on the application
Twitter Bootstrap modal: How to remove Slide down effect
What are the useful GCC flags for C?
Swift 3.0 Result of call is unused [duplicate]
How to convert an ISO date to the date format yyyy-mm-dd?
Refreshing Web Page By WebDriver When Waiting For Specific Condition
How to find the Windows version from the PowerShell command line
Getting only Month and Year from SQL DATE
@angular/material/index.d.ts' is not a module