Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Enterprise Trust (GPO) and a MS PKI

Answered Enterprise Trust (GPO) and a MS PKI

  • Monday, December 03, 2012 10:38 AM
     
     
    Sign In to Vote
    0

    Hello,

    I'm currently testing and learning something about Microsoft PKI and found, that I can limit the purpose for trusting external CAs by adding a CTL in Enterprise trust in GPO.

    Now I have 2 questions:

    1. what is the signing Certificate in a CTL used for and why do I need it, as I only want to limit a Root and/or issue Cert for being used for E-Mail encryption?

    2. in this Article: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_pkpunctl.mspx?mfr=true I can see, that, when having a own root ca I do not need this setting, so, how can I do it then for external Certificates? (or is this only for the own CA?)

    Thanks for your help and best regards

    Fireblade310

     

All Replies

  • Wednesday, December 05, 2012 8:18 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thanks for posting in Microsoft TechNet forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     
     
  • Wednesday, December 05, 2012 1:54 PM
     
     Answered
    Sign In to Vote
    1

    For external certificate, you can edit certificate trust list and then add the external certificate to the list.

    To use the Certificate Trust List Wizard, you need the following information:

           The certificate purposes for this CTL. For more information about CTL purposes, see Using enterprise trust policy.

    • The certificates that you want to add to the CTL. You can add certificates from the certificate store on the local computer or from a file. Acceptable file formats from which you can import a certificate are an X.509 v3 certificate file (.cer, .crt), a PKCS #7 file (.spc, .p7b), or a Microsoft serialized certificate store (.sst).
    • A certificate that has the Trust List Signing purpose and its associated private key in your personal certificate store. For general instructions on how to request a certificate, see Request a certificate.

    http://technet.microsoft.com/en-us/library/cc728449(v=WS.10).aspx

    Regards,

    Diana

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked As Answer by Fireblade310 Wednesday, December 05, 2012 1:56 PM
    •  
     
  • Wednesday, December 05, 2012 1:56 PM
     
     
    Sign In to Vote
    0
    Thanks a lot for your Help Diana, this helped me a lot!