I am considering securing my work environment with certificates and thus have a couple of questions.
My Active Directory domain is domain.com. If I buy a commercial wildcard SSL certificate from i.e. COMODO is it possible to create S/MIME user certificate (after installing CA on the domain controller: dc.domain.com)?
The certification path would be: COMODO CA -> Intermediate CA -> *.domain.com -> [email protected]
Is it doable or should I buy an individual certificate for each user from COMODO? If so would the certificate be trusted outside my organisation?
The second question is about S/MIME certificates deployment. Is there a GPO for distributing user certificates, attaching it to the email account and publishing GAL?
Thanks for any suggestions.
No, it won't work that way. Certificates, you purchase from commercial CAs, are not eligible to sign other certificates. In order to sign other certificates, your cert must have
Basic Constraintscertificate extension withisCAbit set to 1. However, all certificates purchased from commercial providers have this bit set to 0. Although, technically, it is possible to create such configuration, it won't work, because of certificate validation failure.You should purchase separate certificate for each mail adress.
Just to note: NEVER install CA on domain controllers. If installed, it shall be installed on a dedicated server.