8

Suppose I have CA1 root certificate and two intermediate CA2 and CA3 certificates issued by CA1. Would it pose any security issue if all of the intermediate certificates were installed in the root store? I'd like to know what's the purpose of this intermediate certificate store and when should I use it. I understand that it is created to store intermediate certificate authorities, but is there a reason why it was created specifically and why I can't keep all my certs in the root store?

certmgr

There is a similar question about the windows store for intermediate certificates, but it does not answer my question completely. Instead, it focuses on why it is necessary to store the intermediate certs in general, and is there a case when it is really needed. In my case I understand that storing intermediate certificates is necessary, but I'm asking why there is a need to create a separate "folder" for storing intermediate certs in windows, while it is possible to just bundle them together with root CA certs.

username
  • 195
  • 1
  • 7
  • There is a similar question, see my answer here: https://security.stackexchange.com/a/216214/70148 – Ed Greaves Aug 29 '19 at 17:43
  • @EdGreaves see my updates. – username Aug 29 '19 at 21:55
  • @username, it's not marked as duplicate. It's been suggested that it may be duplicate, and people with enough reputation here will vote on whether it actually is duplicate. You're welcome to pose your argument in the comments. – Ghedipunk Aug 29 '19 at 22:03
  • The edit does help explain your intent. Rather than "It's not a duplicate because..." it could be reworded to "There is a similar question (supply link), though this one is asking ... " – Ghedipunk Aug 29 '19 at 22:11
  • @Ghedipunk thank you, I have updated the wording and hope it sounds better now. – username Aug 29 '19 at 22:22

2 Answers2

4

Would it pose any security issue if all of the intermediate certificates were installed in the root store?

Yes. Root-CAs are a pain to revoke. That's why the intermediate-CA idea became popular some years ago. Intermediate CAs are much easier to revoke.

I'd like to know what's the purpose of this intermediate certificate store...

Speed. It's a cache that Windows uses.

...and when should I use it.

You don't. It's automatic.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • when you should use is: this is partly automatic. However in some scenario's (think enterprise level certificate deployment scheme's) you would put the current intermediate certs in this store and use the domain controller to push them to all clients that need them. This offers granular permission checks and separation while maintaining the singular source of truth (your own CA) as the root. Especially if you expand some programs logic to verify the chain locally completely and not just rely on the certs send by the server. – LvB Sep 05 '19 at 10:43
  • @LvB: Okay, dunno. I myself can only speak from a TLS background. And in that case for the server to NOT send all the certs required for chain building (trust anchor optional) is simply non-compliant and an error. – StackzOfZtuff Sep 05 '19 at 11:33
  • you are correct, But that does not mean people do not do this type of crazy stuff... I am not a fan but I just have seen some implementations of people doing this. – LvB Sep 05 '19 at 14:01
3

It is entirely organizational. You may place your certificates wherever you want.

That said, the intermediate CA's play a role in IT infrastructure because they are able to issue certs, but can be limited to only issue for specific purposes. This allows an organization to use a separate ICA different functions (development, production, clients, ...)

The advantage of this is that the root CA can be used less and kept in a more secure situation, while the different functions can operate independently of each other and compromises of one ICA won't affect other functions.

ztk
  • 2,247
  • 13
  • 22