none
Help in cross forest certificate

    Question

  • Hi All,

    We have two domains (A, B) both are in <g class="gr_ gr_1005 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="1005" id="1005">two-way</g> trust. Both the domain are having a separate issuing CA and root CA. Now we have a special requirement, the B_domain <g class="gr_ gr_320 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="320" id="320">users</g> certificate should be validated in A_domain resource accessing. but vise-<g class="gr_ gr_955 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="955" id="955">versa</g> is not required. Please let us know how to implement cross-forest certificate in this scenario.

    Thursday, June 7, 2018 1:15 PM

All replies

  • Is it just about certificate validation only? Or there are plans to retire PKI in one of the forests?

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Thursday, June 7, 2018 4:06 PM
  • Hi Vadims,

    Thanks for your response.  There is no plan to retire PKI in one forest.

    Already <g class="gr_ gr_178 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="178" id="178">two way</g> trust is there between both the forest. In A_domain each client requires a certificate <g class="gr_ gr_640 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="640" id="640">for <g class="gr_ gr_669 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="669" id="669">get</g></g> <g class="gr_ gr_764 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="764" id="764">IP</g> address from the network switches, Radius server performs the certificate validation.

    If B_domain users trying to <g class="gr_ gr_1041 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="1041" id="1041">logon</g> from A_domain sites, they need to get the IP address with the certificate issued from B_domain. 

    Friday, June 8, 2018 10:44 AM
  • Sorry, I can't read this html mess. Can you fix it?

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Friday, June 8, 2018 11:59 AM
  • Sorry for the incovenience. I didnt notice it.

    There is no plan to retire PKI in one forest.

    Device certificate is mandatory for each device in A_domain users for get the IP address from the Network Switches. Radius servers checks the certificate validity .

    B_Domain users also will be part of few sites , they need to get the IP address from the network switches with their existing B_Domain certificates.

    I would like to know whether cross forest certificate between B_Domain Issuing CA to A_domain issuing CA will help on this scenario. 

    Friday, June 8, 2018 3:25 PM
  • In your case, you may do one of the following options:

    1) publish B's root CA certificate in A forest's trust store. So every user, every device in forest A will trust certificates issued by CA-B.

    2) if full trust is not an option, and you want apply constraints, you may go with qualified subordination. In forest A, you will configure constraints for CA-B and issue cross-certificate, which will be published in the same forest A. In this case, certificates issued by CA-B will be trusted and validated via this cross-certificate and will chain up to CA-A root CA certificate, which is already trusted in forest A. More details on qualified subordination: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787237(v=ws.10)


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Saturday, June 9, 2018 1:45 PM
  • Thanks much Vadims!!!

    I understood that B_domain  issuing CA can create a cross forest certificate from A_domain root CA will help us to achieve our requirements.

    Is it mandatory that A_domain issuing CA also should request a cross forest certificate from B_domain root CA. We dont have any requirements that A_domain users access the B_domain application with Certificate validation. Hence i would like to know this portion. 

    Thanks and Regards,

    Hariharan

    Thursday, June 14, 2018 12:09 PM
  • If domain_B users must be authenticated in domain_A, then domain_A performs client authentication and only domain_A should cross-certify domain_B CA and publish the cross-certificate in domain_A. Domain_B is not involved in this process. When cross-certification is done, the chain of domain_B certificates in domain_A will be as follows:

    Leaf_B -> Issuing_B -> CrossCert_A -> Issuing_A -> Root_A

    with the help of cross-certificates, you are not required to trust Root_B CA certificate, the certification path is constructed via cross-certificate and will end in your PKI which is trusted in domain_A.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Friday, June 15, 2018 6:10 AM
  • Thanks much Vadims. Let me try in our environment.
    Wednesday, June 20, 2018 2:06 PM