Installing on Enterprise Certification Authority

[mashdk]

Very interesting work, you have done here!
You write, that it should only be installed on an Enterprise CA, not a standalone.
However, https://learn.microsoft.com/en-us/windows/win32/seccrypto/policy-modules states:
"An enterprise certification authority should use only the Microsoft-provided enterprise policy module."
I know there's gotta be a perfectly legitimate explanation. But maybe you could help out here?

[Sleepw4lker]

Hello, i can only speculate why Microsoft wrote this, but I assume this is because you can only have one policy module active at a time. Therefore, you would have to replicate the logic from the "Windows Default" policy module, which would be nearly impossible. TameMyCerts solves this be daisy-chaining the "Windows Default" policy module, thus preserving all it's logic. And this approach was taken from a code sample Microsoft published themselves about 10 years ago (which is probably newer than the MSDN article you linked ;)).

[Sleepw4lker]

Hello @mashdk I found this in the meantime:

Quote:
You can customize policy enforcement by: Modifying the installed policy module using the Certification Authority snap-in to create a custom policy module that then makes an explicit call to the default policy module.

from https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783853(v=ws.10)

So I think we can safely assume that the approach we take is valid.

[mashdk]

That's awesome, thank you.
Makes it a lot easier to argue for installing this in an enterprise.