Installing Self Certificate in AD GPO (Group Policy Object) for Internet Explorer Users

Mindwatering Incorporated

Author: Tripp W Black

Created: 04/13/2009 at 11:53 AM

 

Category:
Microsoft Server Software
Other/Misc.

Issue:
You have a web certificate that is self certifed/untrusted. You want the users to not get the pop-up dialog and have to manually trust each time or have to install the certificate. (They might not have rights to do so anyway.)

Solution:
Setup Group Policy Object (GPO) with the certificate to push down.

Notes:
You need to use a Domain Admins account to make the directory policy update.
Windows will expect the certificate to install via policy to be in DER encoded format (w/o private key) with the extension as .CER.
You can either create a new policy and import the self certificate or import certificate w/o to an existing GPO.
Search this support database for "Create

Option 1: To create a new policy...
1. Start --> Programs --> Administrative Tools --> Active Directory Users and Computers.
2. Select the organizational OU to receive the new certificate. Right click on the specific OU or the domain root (if domain wide). Select Properties.
If you do not have one, create a domain wide policy.
3. In the dialog that appears, select the tab Group Policy.
4. Click New, and name the new policy. (e.g. Lotus Certificate Installer).
5. Select the new Group Policy Object, and click Edit.
6. In the Group Policy Object Editor, select Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
7. On the right hand side of the window, right click on Trusted Root Certification Authorities. Select Import.
8. The Certificate Import Wizard dialog appears. Click Next. On the next dialog box, click Browse. Navigate to where you saved the certificate (e.g. lotuscert.cer) and click Open/Next.
9. With the full path to the certificate file populated/listed, accept the default to Place all certificates in the following store (Trusted Root Certification Authorities), click Next, click Finish.
10. Click OK, to close the Group Policy Object dialog, close Active Directory Users and Computers window.

Option 2: To add the certificate to an existing policy directly with the GPMC.
1. Start GPMC.
2. Select the appropriate policy (GPO) that affects all the users desired.
3. Right click the policy and select, Edit.
4. In the Group Policy Object Editor, select Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
5. On the right hand side of the window, right click on Trusted Root Certification Authorities. Select Import.
8. The Certificate Import Wizard dialog appears. Click Next. On the next dialog box, click Browse. Navigate to where you saved the certificate (e.g. lotuscert.cer) and click Open/Next.
9. With the full path to the certificate file populated/listed, accept the default to Place all certificates in the following store (Trusted Root Certification Authorities), click Next, click Finish.

Check the Group Policy propagated to the computers affected by the policy (e.g. OU or domain) by opening up Internet Explorer on one of the affected PCs:
1. Open IE.
2. Under the menu, choose Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities.
3. Verify the new self certificate has been installed.
4. Close the dialog.
5. Open the web address of the new certificate (e.g. https://server.mindwatering.com) and verify the prompt did not occur.

previous page