Is it possible to get windows to trust a certificate, without getting it to trust the root CA as a trusted root CA?
say I have the following certificate chain,
Dept-Root-CA
Dept-Intermediate-1
Server-Certificate
I want to trust the Server-Certificate, but do not want to trust Dept-Root-CA because then it could sign any certificate and my servers would trust it. Just because I am willing to trust the certificate on Server-Certificate for a specific operation, doesn't mean I'm willing to trust that Dept-Root-CA has been properly secured.
thanks
No. As long as the certificate says "Issued by: xxx" then you must also trust xxx, all the way up the chain. If it is a self-signed certificate, you could put it in the Trusted Root CAs store, and since it is issued to and issued by the same entity, it should be trusted then.
But no it's not generally do-able or advisible to completely circumvent the entire purpose of certificate-based security.
Well.... You could capture that trust information in another way.
It is, unfortunately, a bit complicated.
Create your own CA, then create your own cross-signing issuer for Dept-Intermediate-1 (or Dept-Root-CA) by signing their cert with your CA, possibly adding domain restrictions. If the "real" Dep-Intermediate-1 is deactivated (preferably) or unknown, windows will use your trust chain instead.
See my other answer here: Restrict a root certificate to a domain
This is how certificates are supposed to work, using digital signatures to represent an assertion of key ownership. Since you want to assert the cert and key belongs to the server, you sign it yourself, under your authority, and then tell the system to trust you.
There's still a lot of utility in a certificate without a CA hierarchy, above what SSH keys provide; part of that is the restrictions on them. Key usage, validity dates, revocation information, domain restrictions, etc.. The other part is the identifying information; server which owns the key, identity of the issuer, CA policies enforced, key storage information, etc.