Monday, December 03, 2012 10:38 AM
I'm currently testing and learning something about Microsoft PKI and found, that I can limit the purpose for trusting external CAs by adding a CTL in Enterprise trust in GPO.
Now I have 2 questions:
1. what is the signing Certificate in a CTL used for and why do I need it, as I only want to limit a Root and/or issue Cert for being used for E-Mail encryption?
2. in this Article: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_pkpunctl.mspx?mfr=true I can see, that, when having a own root ca I do not need this setting, so, how can I do it then for external Certificates? (or is this only for the own CA?)
Thanks for your help and best regards
Wednesday, December 05, 2012 8:18 AMModerator
Thanks for posting in Microsoft TechNet forums.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Wednesday, December 05, 2012 1:54 PM
For external certificate, you can edit certificate trust list and then add the external certificate to the list.
To use the Certificate Trust List Wizard, you need the following information:
The certificate purposes for this CTL. For more information about CTL purposes, see Using enterprise trust policy.
- The certificates that you want to add to the CTL. You can add certificates from the certificate store on the local computer or from a file. Acceptable file formats from which you can import a certificate are an X.509 v3 certificate file (.cer, .crt), a PKCS #7 file (.spc, .p7b), or a Microsoft serialized certificate store (.sst).
- A certificate that has the Trust List Signing purpose and its associated private key in your personal certificate store. For general instructions on how to request a certificate, see Request a certificate.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked As Answer by Fireblade310 Wednesday, December 05, 2012 1:56 PM
Wednesday, December 05, 2012 1:56 PMThanks a lot for your Help Diana, this helped me a lot!