Trusting an untrustworthy CA - Can I restrict how system trusts it?

ssl-certificate certificate-authority x509

Solution 1:

Yes, it is possible. In the case of Windows, there is a feature called Cross-Certification or Qualified Subordination.

The idea is that you sign third party's issuing CA certificate in your environment. As the result remote SSL certificate is chained to your own root CA certificate. In order to protect yourself from possible rogue certificates, you implement a Name Constraints certificate extension where you specify a list of acceptable names. If third party CA issue certificate for any other name (not explicitly specified in the Name Constraints extension), it will be automatically rejected by your CryptoAPI provider.

In addition to name constraints, you can describe Enhanced Key Usages constraint by defining the Application Policies certificate extension in the cross-certificate. So, your trust provider will successfully validate only usages specified in the Application Policies extension.

More information: Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003

p.s. although, the article is written against Windows Server 2003, the article still applies to the most recent Windows Server version.

Related

Determine if file is in the process of being written upon?
What are the advantages/disadvantages of hard versus soft mounts in UNIX?
cp without overwriting destination permissions
wa (Waiting for I/O) from top command is big
ssh-copy-id - permission denied (publickey) [closed]
nginx split large configuration file
Ctrl + Alt + Del prior to Windows 10 logon no longer needed?
Check if user password input is valid in Powershell script
Run command in detached tmux session
ISP broadcasting all IP-packets, so I can see traffic of other clients from ISP
Enable Password Login for SSH on Amazon Linux AMI
how to secure an open PostgreSQL port