We have successfully tested active-directory-logon with x509v3
certificates at a windows server 2003 domain based on certificates which
have been generated with the cryptolibrary OpenSSL-0.9.8. In order to
verify client certificates, the test certificate-chain, consisting of a
root-CA and a sub-CA certificate, needs special Microsoft attributes
Now, we have some questions left:
1. Is the root-certificate required to carry the Microsoft attributes?
Or is it possible to configure active directory in a manner, that only
the sub-CA-certificate contains the required extensions?
2. When configuring the Windows Server 2003 a "dummy" installation of
the Windows specific certification authority was needed in order to
produce a Domain Controller Certificate. A soon as the DC-certificate
exists (and only then) the authentication process with the
client-certificate at the domain will work and we can remove the windows
CA without loss of functionality. Our Question is: Is it possible to
avoid the installation of the Windows-CA by configuring Active Directory
in a certain manner?