Trusted Root Certificate Authorities Missing from Domain Controllers?

Today I ran into a peculiar issue when configuring a GPO policy for 802.1X authentication with WPA2-Enterprise. When you use PEAP for authentication, you need to assign which Certificate Authorities’ (CAs) certificates will be accepted for authentication. I went to add the new CA in the GPO settings, and was mighty surprised when the CA I wanted to add was completely missing along with a lot of other well-known CAs.

After a lot of Googling, I found an obscure reference to how Root CA Certificates are handled on Domain Controllers. For unknown reasons, Microsoft decided that modern versions of Microsoft Server shouldn’t ship with all conceivable Root CAs installed out of the box, and they don’t update the Root CAs as desktop OSs do either. Instead, the first time the server is presented with a CA that it doesn’t have a Trusted Root Certificate for, it downloads it (presumably from Microsoft Update), and installs it into the correct certificate store.

This means, that if you like me have to add a Root CA Certificate to a Domain Controller, all you need to do is navigate to some site that has a certificate signed by the CA in question, and Windows will automatically download and install it for you!

The reason behind this logic is presumably to avoid breaking something if a Root CA suddenly becomes untrusted by the browser community, and instead leave it up to the administrator to handle it. Another reason I found for this is to limit the size of the installation media, but I can’t really understand why the couple of megabytes needed to store every single CA certificate known to mankind would be such an issue.



Categories: Tech

Tags: , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: