Do I need to copy RootCA in machine 2 & 3's trusted root

Question

• I have 3 machines in domain and where I choose Machine1 to host asp.net web api application.

• I have create my own CA RootCA and put in Machine1's trusted root.

• then I issued one more certificate X with Machine1 fully qualified domain name from RootCA.

• I put certificate X in Machine1's Personal root.

• I bind my asp.net web api app with certificate X.

• If I browse to my asp.net web api, it's running fine and NO certificate error.

• Now when I am trying to browse my asp.net web api from Machine2 & Machine3, I am getting certificate error.

• If I copied RootCA certificate to both Machine2 & Machine3's trusted store, then NO certificate error.

My questions,

• It this required to copy RootCA certificate to both Machine2 & Machine3's trusted store?

• Can I eliminate this steps? perhaps I don't want to install any certificate in Machine2 & Machine3. Is this possible?

Thanks!

Answer 1

It this required to copy RootCA certificate to both Machine2 & Machine3's trusted store?

Yes, otherwise the machines won't be able to assert whether to trust the certificate(s) issued by it.

can I eliminate this steps?

No, but since they're domain members you can automate distribution of the root certificate via Group Policy by configuring the following setting in a GPO that targets machine 2 and 3:

Path: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies
Setting: Trusted Root Certification Authorities