2

We have a Microsoft enterprise certificate authority, and I would like to start issuing a few code signing certificates.

But what I'm unsure of is this: since all our domain/forest machines trust the internal CA, when I issue code signing certificates: will all the client systems automagically trust the code signing certs for executing any code, or do I need to add the individual users' code signing certs to the clients' "Trusted People" store (like you might do with their self-signed or third-party certs)?

Improve this question

3 Answers 3

Reset to default
3

If you issue the certificates using a trusted CA, then all these certificates will be trusted by your machines. You can have a look at this page.

Improve this answer
1
  • That's what I suspected... thanks for the confirmation. We'll just have to be careful who we issue the code signing certs to, as they'll be inheriting a lot of power. Commented Dec 2, 2011 at 17:15
0

It depends... I used to think that way, but then we started using System Center Update Manager. For the cert to be trusted in this case, it needs to be added to the "Trusted Publishers" store even when it's from your CA.

http://mikeshellenberger.wordpress.com/2010/09/02/system-center-updates-publisher-microsoft-pki/

Improve this answer
1
  • Hmm... interesting. Guess I'll have to try it and see! Commented Dec 6, 2011 at 15:03
0

You want to add this to "TrustedPublishers" as well as the "TrustedRoot"

https://www.spreadsheet1.com/how-to-add-certificate-to-trusted-publishers-in-excel.html

certutil -addstore "TrustedPublishers" *.cer
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.