Special Microsoft Attributes

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Special Microsoft Attributes

Stephan Uhde
Hello,

We have successfully tested active-directory-logon with x509v3
certificates at a windows server 2003 domain based on certificates which
have been generated with the cryptolibrary OpenSSL-0.9.8. In order to
verify client certificates, the test certificate-chain, consisting of a
root-CA and a sub-CA certificate, needs special Microsoft attributes
(“Mircrosoft-CA”).
Now, we have some questions left:

1. Is the root-certificate required to carry the Microsoft attributes?
Or is it possible to configure active directory in a manner, that only
the sub-CA-certificate contains the required extensions?

2. When configuring the Windows Server 2003 a "dummy" installation of
the Windows specific certification authority was needed in order to
produce a Domain Controller Certificate. A soon as the DC-certificate
exists (and only then) the authentication process with the
client-certificate at the domain will work and we can remove the windows
CA without loss of functionality. Our Question is: Is it possible to
avoid the installation of the Windows-CA by configuring Active Directory
in a certain manner?

Regards,
Stephan
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]