Cross sign certificates with Windows PKI

Last year I wrote an blog article about how to trust somebody else’s root certificate with name restrictions. This allows you to trust a vendor/partner/etc root certificate without giving them the possibility of spoof google or any other company they shouldn’t sign for.

Same notice goes on this post. Not all operating systems honor name restrictions. So are you running mostly MacOS machines this won’t help that much.

So let’s get going.

The simple solution:

  1. Get root certificate from vendor/partner
  2. Create CSR from certificate
  3. Verify CSR
  4. Sign CSR
  5. Push intermediate certificate to clients, automatic with Windows and use of correct Template.

The more detailed version

Get root certificate from vendor/partner

I choose to download a private google CA. Just for show 🙂
google seems to run their PKI under https://pki.goog/.

So I downloaded GTS LTSR, gtsltsr.crt I will be using this one.

Create CSR from certificate

Now we need a little magic. We will be using the -policy attribute of certreq.exe. The documentation specifies command to run is:

BUT, it doesn’t really specify how the policy.inf file should look. This is a sample that I have used.

The important part is under NameConstraintsPermitted. You can do the other way to, but specifying which they cant use seems harder. Or you could combine. I will suggest always using permitted and if needed excluded.

Then we just run this:

You will get questions for the private key. If you have it please help certreq to it now. This will help later..

Verify CSR

I always tell people to inspect your CSR’s prior to signing. Microsoft has included a tool for this, certutil.exe has no problems with this.

Sign CSR

Now we come to the point where the question is did we sign the CSR with the key. If we look at the microsoft certificate template. We will find the following section:

If you didn’t sign the csr with a key, you will need to uncheck “This number of authorized signatures”.

For more information about this please read the open specifications from Microsoft.

Distribute intermediate certificate

This can differ much depending on your setup.

For instance you might have multiple domains where you want to distribute the intermediate certificate to.

Leave a Reply