Sorry for this late reply, I have been otherwise busy for some time.
Yes, I did this via Server 2008 R2.
What I actually did was to add the certificate via Group policy, so
it was automatically propagated to the trusted CA store on all computers
in the domain (including Windows 2000/XP/2003/Vista/2008/Win7/2008R2).
Specifically, I started "Group Policy Management" (on a 2008R2 DC),
navigated to Forest:our.domain, Domains, our.domain, Group Policy
Objects, Default Domain Policy, right clicked to Edit.
Then in the "Group Policy Management Editor", I navigated to Computer
Configuration, Policies, Windows Settings, Security Settings, Public
Key Policies, Trusted Root Certification Authorities, right clicked
the (initially blank) right pane and chose "Import".
As for the general safety of data stored in group policies on a
Windows DC, I will leave it to others to speculate, but once you
are using that DC to authenticate access to all your computers anyway,
any doubts about its safety are mostly moot. However just in case,
I keep read only copies of the certificate (as an ordinary PEM format
file) on a file server, so I can easily import it to programs that
don't use the MS certificate store, such as OpenSSL and Mozilla, on
any machine with access to the network. I also made that file available
on a hidden https URL that uses a commonly trusted public CA for its
certificate, to provide a way to securely bootstrap off-site laptops
into trusting our private certificates.
Have fun,
On 08-09-2010 04:42, Mohan Radhakrishnan wrote:
Hi,
Have a question. Is this the Windows native store for CA
certificates ? Which MS help doc. are you referring ? We want a secure
storage facility for all our certificates but we don't to buy a
separate product.
Thanks,
Mohan
On Wed, Sep 8, 2010 at 5:10 AM, Dongsheng Song<dongsheng.s...@gmail.com> wrote:
Are you test with 2008/win7 ?
My self-signed certificate can automatically goto 'Trusted Root
Certification Authorities'
on XP/2k3 box, but not 2008 box.
If the answer is 'YES', could you share the configuration ?
Because I compared my self-signed certificate with microsoft 2010 ROOT CA,
no valuable
difference.
Thanks,
Dongsheng
On Wed, Sep 8, 2010 at 01:59, Jakob Bohm<jb-open...@wisemo.com> wrote:
On 07-09-2010 09:59, Dongsheng Song wrote:
Hi,
When I install my self-signed certificate to 'Certificate Store' of
Windows 2008,
if I select 'Automatically select the certificate store based on the
type of certificate',
then the self-signed certificate will be in the 'Intermediate
Certification Authorities',
not 'Trusted Root Certification Authorities'.
How can I create self-signed certificate with correct certificate TYPE ?
Regards,
Dongsheng
Note that this did NOT happen with the self-signed CA root cert that I
created with openssl (via a GUI front end) for our internal network CA.
(Used for such boring tasks as SSL certificates for domain controllers
etc.).
It has the following attributes (anonymised here):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:dd:1a:38:49:01:61:a4
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc.
Validity
Not Before: Apr 19 18:41:02 2010 GMT
Not After : Apr 16 18:41:02 2020 GMT
Subject: C=XX, L=Somecity, O=OurCompany, CN=OurCompany Inc.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
(Omitted)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35
X509v3 Authority Key Identifier:
keyid:9E:37:BE:96:A4:55:F4:B9:6A:27:85:0F:F8:A2:6F:EE:E4:3D:B4:35
DirName:/C=XX/L=Somecity/O=OurComapany/CN=OurCompany Inc.
serial:F8:DD:1A:38:49:01:61:A4
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape Comment:
WiseMo Internal CA
Netscape CA Revocation Url:
https://SomeInternalServer/somename.crl
Netscape Revocation Url:
https://SomeInternalServer/somename.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
(omitted)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
