Another request. Had a customer's security team decide, on their own, to go with SSL.COM entrust certificates for their renewals from entrust. Problem is, most machines and devices don't have the updated ssl.com intermediate certs and so they aren't trusted on almost everything. Anyone have a good process for deploying intermediate and root certs to non-domain machines? GPO is going to get all the Windows domain machines, and UMOS is handling the IGELs. But what about public machines? Anyone else gone down the rabbit hole of better cert management?

Windows machines that trust the root will typically download the intermediate on their own, Linux and Mac machines won’t. If those machines are getting OS security updates then new root and intermediates typically get pushed out that way, but if they don’t have them and the machine isn’t under your control there isn’t a lot you can do. I’ve seen this a lot with NetScaler cert updates and the easiest thing is to buy a cert that everyone already trusts.

Yeah. that was my recommendation as well.......

If the root is trusted and you push the whole chain they should trust any intermediate though

Interesting that the endpoints wouldn't have Entrust as Entrust should be included in Windows Updates https://learn.microsoft.com/en-us/security/trusted-root/participants-list

Why would ssl.com certs be signed by entrust though? Don’t they have their own root?

Looks like they still sell them under partner signed certs... I wonder if this was someone going to SSL.com and saying "oh look this one is cheaper!" https://www.ssl.com/repository/

We use Entrust for our certs and they partner with SSL.com to issue. In the past year, I’ve enjoyed three different chains for Entrust.