Today I ran into a peculiar issue when configuring a GPO policy for 802.1X authentication with WPA2-Enterprise. When you use PEAP for authentication, you need to assign which Certificate Authorities’ (CAs) certificates will be accepted for authentication. I went to add the new CA in the GPO settings, and was mighty surprised when the CA I wanted to add was completely missing along with a lot of other well-known CAs.
After a lot of Googling, I found an obscure reference to how Root CA Certificates are handled on Domain Controllers. For unknown reasons, Microsoft decided that modern versions of Microsoft Server shouldn’t ship with all conceivable Root CAs installed out of the box, and they don’t update the Root CAs as desktop OSs do either. Instead, the first time the server is presented with a CA that it doesn’t have a Trusted Root Certificate for, it downloads it (presumably from Microsoft Update), and installs it into the correct certificate store.
This means, that if you like me have to add a Root CA Certificate to a Domain Controller, all you need to do is navigate to some site that has a certificate signed by the CA in question, and Windows will automatically download and install it for you!
The reason behind this logic is presumably to avoid breaking something if a Root CA suddenly becomes untrusted by the browser community, and instead leave it up to the administrator to handle it. Another reason I found for this is to limit the size of the installation media, but I can’t really understand why the couple of megabytes needed to store every single CA certificate known to mankind would be such an issue.