Is it possible to trust a certificate in windows, without trusting its root CA?

Solution 1:

No. As long as the certificate says "Issued by: xxx" then you must also trust xxx, all the way up the chain. If it is a self-signed certificate, you could put it in the Trusted Root CAs store, and since it is issued to and issued by the same entity, it should be trusted then.

But no it's not generally do-able or advisible to completely circumvent the entire purpose of certificate-based security.

Solution 2:

Well.... You could capture that trust information in another way.

It is, unfortunately, a bit complicated.

Create your own CA, then create your own cross-signing issuer for Dept-Intermediate-1 (or Dept-Root-CA) by signing their cert with your CA, possibly adding domain restrictions. If the "real" Dep-Intermediate-1 is deactivated (preferably) or unknown, windows will use your trust chain instead.

See my other answer here: Restrict a root certificate to a domain

This is how certificates are supposed to work, using digital signatures to represent an assertion of key ownership. Since you want to assert the cert and key belongs to the server, you sign it yourself, under your authority, and then tell the system to trust you.

There's still a lot of utility in a certificate without a CA hierarchy, above what SSH keys provide; part of that is the restrictions on them. Key usage, validity dates, revocation information, domain restrictions, etc.. The other part is the identifying information; server which owns the key, identity of the issuer, CA policies enforced, key storage information, etc.

Tags:

Windows

Ssl