Qual é o propósito de uma Lista de Confiança de Certificados personalizada?

5

Você pode criar e implantar uma lista de certificados confiáveis conforme aqui detalhado a>, mas estou tentando entender as vantagens disso apenas implementando certificados raiz e intermediários com a diretiva de grupo da maneira normal. Por que eu iria querer \ preciso fazer isso?

    
por red888 24.11.2014 / 23:56

1 resposta

4

Uma Lista de Confiança de Certificados Corporativos (CTL) oferece mais granularidade e controle sobre exatamente quais tipos de certificados e com quais fins esses certificados podem ser confiáveis. A simples distribuição de certificados por meio da Diretiva de Grupo não oferece muito controle sobre exatamente como e sob quais circunstâncias esses certificados são confiáveis em seus clientes.

Do TechNet:

A certificate trust list (CTL) enables you to control trust of the purpose and of the validity period of certificates issued by external certification authorities (CAs).

Typically, a certification authority can issue certificates for a wide variety of purposes, such as secure e-mail or client authentication. But there might be situations in which you want to limit the trust of certificates issued by a particular certification authority, especially if the CA is outside your organization. In these situations, creating a CTL and using it through Group Policy can be useful.

Suppose, for example, a certification authority named "My CA" is capable of issuing certificates for server authentication, client authentication, code signing, and secure e-mail. However, you only want to trust certificates issued by My CA for the purpose of client authentication. You can create a CTL and limit the purpose for which you trust certificates issued by My CA so that they are only valid for client authentication. Any certificates issued for another purpose by My CA are not accepted for use by any computer or user in the scope of the Group Policy object (GPO) to which the CTL is applied.

There can be multiple CTLs in an organization. Because the uses and trusts of certificates for particular domains or organizational units might be different, you can create separate CTLs to reflect these uses and assign particular CTLs to particular GPOs.

Through the use of Group Policy in your organization, you have the option of designating trust in CAs by using either the trusted root certification authority policy or the enterprise trust policy (CTLs). Use the following guidelines in determining which policy to use: • If your organization has its own root CAs and uses Active Directory, you do not need to use the Group Policy mechanism to distribute those root certificates.

• If your organization has its own root CAs that are not installed on servers, you should use the trusted root certification authority policy to distribute your organization's root certificates. For more information, see Trusted root certification authority policy.

• If your organization does not have its own CAs, use the enterprise trust policy to create CTLs to establish your organization's trust of external root CAs. For more information, see Using enterprise trust policy.

    
por 25.11.2014 / 02:18