How to Enable Certificate Trust List (CTL) on Server 2008 R2 for UAG Privileged Endpoint Policy RRS feed

  • General discussion

  • Hello.

    I want to use the Privileged Endpoint Policy that ships a part of UAG. As i understand it the user needs a client cert and the CA that issued the cert has to be in the CTL. The problem i am having is around the UAG server & CTL.

    The instructions i found on technet refer to Server 2003 & IIS6 (strange as i didn't think UAG was supported on server 2003)

    There are a few blogs about the MakeCTL utility, part of the Server 2003 SDK. But these don't work either.

    Does anyone know how to configure CTL on Server 2008 R2, or is there another way to deploy the Privileged endpoint policy?



    Monday, April 19, 2010 11:06 PM

All replies

  • Hi,

    Are you getting confused between a Privileged Endpoints and a Certified Endpoints?

    A privileged endpoint can normally be defined using policy/expressions scripts and would include elements that you define to determine a "privileged" machine.



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: and
    Tuesday, April 20, 2010 1:21 AM
  • AFAIK CTL Support ist implemented in IIS 7.5/W2K8 R2 yet. See

    For Certified Endpoint you do not need necessarily a CTL. However it is advisable not to trust every CA for the Certified Endpoint feature. Until CTLs are not available you might need to live without this added security feature.

    I'd be also curious when CTL support will be available because I think this is really a security matter (you could also delete all other CA certificates from the Trusted Root certificate store of the UAG machine).

    Best regards




    Tuesday, April 20, 2010 12:20 PM