Trusting an untrustworthy CA - Can I restrict how system trusts it?
Solution 1:
Yes, it is possible. In the case of Windows, there is a feature called Cross-Certification or Qualified Subordination.
The idea is that you sign third party's issuing CA certificate in your environment. As the result remote SSL certificate is chained to your own root CA certificate. In order to protect yourself from possible rogue certificates, you implement a Name Constraints
certificate extension where you specify a list of acceptable names. If third party CA issue certificate for any other name (not explicitly specified in the Name Constraints extension), it will be automatically rejected by your CryptoAPI provider.
In addition to name constraints, you can describe Enhanced Key Usages constraint by defining the Application Policies
certificate extension in the cross-certificate. So, your trust provider will successfully validate only usages specified in the Application Policies
extension.
More information: Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003
p.s. although, the article is written against Windows Server 2003, the article still applies to the most recent Windows Server version.