Cross sign certificates with Windows PKI

Last year I wrote an blog article about how to trust somebody else’s root certificate with name restrictions. This allows you to trust a vendor/partner/etc root certificate without giving them the possibility of spoof google or any other company they shouldn’t sign for.

Same notice goes on this post. Not all operating systems honor name restrictions. So are you running mostly MacOS machines this won’t help that much.

So let’s get going.

The simple solution:

  1. Get root certificate from vendor/partner
  2. Create CSR from certificate
  3. Verify CSR
  4. Sign CSR
  5. Push intermediate certificate to clients, automatic with Windows and use of correct Template.

[Read more…]