A custom certificate trust list (CTL) is a feature that allows you to control the trust and validity of certificates issued by external certification authorities (CAs). This can be useful for limiting the scope and purpose of certificates from certain CAs, especially if they are outside your organization.
In this article, you will learn what a CTL is, how it works, and how to create and deploy one using Group Policy.
Table of Contents
What is CTL and why do you need one?
A CTL is a Microsoft open format of portable certificate container based on PKCS#7 format. It can store arbitrary certificates, such as root, intermediate, and cross certificates. A CTL can also have the following features:
- A name and a version number for easy identification and management
- A set of X.509 attributes for each certificate, such as subject, issuer, serial number, and thumbprint
- A custom validity period for the entire list
- A list of subject usages (purposes) for all certificates in the list, such as server authentication, client authentication, code signing, and secure email
- A digital signature to ensure the integrity and authenticity of the list
A CTL can help you to achieve more granularity and control over the trust of certificates from external CAs. For example, suppose you have a CA named “My CA” that can issue certificates for various purposes, but you only want to trust its certificates for client authentication.
You can create a CTL that contains only the certificates from “My CA” and restrict their usage to client authentication. Any certificates from “My CA” that are issued for other purposes will not be accepted by the computers or users that have the CTL applied.
How to create CTL using PowerShell
You can use the PowerShell PKI (PSPKI) module to create a custom CTL. The module provides a set of APIs to generate and manipulate CTLs. Here are the steps to create a CTL using PowerShell:
- Import the PSPKI module:
Import-Module PSPKI - Instantiate a trust list using the default constructor:
$builder = New-Object SysadminsLV.PKI.Cryptography.X509Certificates.X509CertificateTrustListBuilder - Provide a name and a version number for the list:
$builder.ListIdentifier = "My custom trust list"and$builder.SequenceNumber = 5 - Specify the subject usages for the list:
[void]$builder.SubjectUsages.Add("1.3.6.1.5.5.7.3.1")for server authentication and[void]$builder.SubjectUsages.Add("1.3.6.1.5.5.7.3.2")for client authentication - Set the validity period for the list:
$builder.NextUpdate = [datetime]::Now.AddYears(5) - Add certificate entries to the list:
$certs = Get-ChildItem cert:\currentuser\ca | select -First 10to get 10 certificates from the CA store and$certs | ForEach-Object { $entry = New-Object SysadminsLV.PKI.Cryptography.X509Certificates.X509CertificateTrustListEntry $_, "sha1" $builder.Entries.Add($entry) }to convert them to X509CertificateTrustListEntry objects and add them to the list - Save the list to a file:
$builder.Save("C:\temp\myctl.ctl")
How to deploy CTL using Group Policy
You can use Group Policy to distribute and apply a CTL to your domain or organizational unit. Here are the steps to deploy a CTL using Group Policy:
- Open the Group Policy Management Console (GPMC) and create or edit a Group Policy object (GPO) that targets the computers or users that you want to apply the CTL to
- Navigate to User Configuration, Windows Settings, Security Settings, Public Key Policies, Enterprise Trust
- Right-click Enterprise Trust, and select New, Certificate Trust List
- When the Certificate Trust List Wizard starts, click Next
- Browse to the CTL file that you created and click Next
- Enter a friendly name and a description for the CTL and click Next
- Review the summary and click Finish
The CTL will be applied to the computers or users in the scope of the GPO. You can verify the CTL by opening the Certificates snap-in and checking the Enterprise Trust store.
Conclusion
A custom certificate trust list (CTL) is a powerful tool that can help you to control the trust and validity of certificates from external CAs. You can create and deploy a CTL using PowerShell and Group Policy. By using a CTL, you can enhance the security and flexibility of your certificate infrastructure.