IT Consultant Everyday Notes

Just some problems/solutions storage

PKI: Why Root CA certificate is duplicated in Intermediate Certificate Authorities container?

Built another two-layer PKI infrastructure for one of my Customers and noted the offline Root CA certificate is added not just to “Trusted Root Certification Authorities” container but also to “Intermediate Certification Authorities” container in local store on domain joined machines.

Googled and looked around a bit and apparently it is by design. The best discussion/references is here: https://social.technet.microsoft.com/Forums/Azure/en-US/a1ccbc8f-e0d3-4aae-a07d-0ae0b1117426/why-is-ad-published-root-certificate-duplicated-into-the-intermediate-certification-authorities?forum=winserversecurity

According Brian Komar: “A root CA certificate can be an intermediate CA certificate after a root CA is renewed with a new key pair !!!!”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: