What is the purpose of a custom Certificate Trust List?
You can create and deploy a certificate trust list as detailed here, but I'm trying to understand the advantages of this over just deploying root and intermediate certs with group policy the normal way. Why would I want\need to do this?
Solution 1:
An Enterprise Certificate Trust List (CTL) gives you more granularity and control over exactly what types of certificates and for what purposes those certificates can be trusted. Simply distributing certificates via Group Policy doesn't give you much control over exactly how and under what circumstances those certificates are trusted on your clients.
From TechNet:
A certificate trust list (CTL) enables you to control trust of the purpose and of the validity period of certificates issued by external certification authorities (CAs).
Typically, a certification authority can issue certificates for a wide variety of purposes, such as secure e-mail or client authentication. But there might be situations in which you want to limit the trust of certificates issued by a particular certification authority, especially if the CA is outside your organization. In these situations, creating a CTL and using it through Group Policy can be useful.
Suppose, for example, a certification authority named "My CA" is capable of issuing certificates for server authentication, client authentication, code signing, and secure e-mail. However, you only want to trust certificates issued by My CA for the purpose of client authentication. You can create a CTL and limit the purpose for which you trust certificates issued by My CA so that they are only valid for client authentication. Any certificates issued for another purpose by My CA are not accepted for use by any computer or user in the scope of the Group Policy object (GPO) to which the CTL is applied.
There can be multiple CTLs in an organization. Because the uses and trusts of certificates for particular domains or organizational units might be different, you can create separate CTLs to reflect these uses and assign particular CTLs to particular GPOs.
Through the use of Group Policy in your organization, you have the option of designating trust in CAs by using either the trusted root certification authority policy or the enterprise trust policy (CTLs). Use the following guidelines in determining which policy to use: • If your organization has its own root CAs and uses Active Directory, you do not need to use the Group Policy mechanism to distribute those root certificates.
• If your organization has its own root CAs that are not installed on servers, you should use the trusted root certification authority policy to distribute your organization's root certificates. For more information, see Trusted root certification authority policy.
• If your organization does not have its own CAs, use the enterprise trust policy to create CTLs to establish your organization's trust of external root CAs. For more information, see Using enterprise trust policy.