Skip to content

            Lost ?  |  Need an account:
 
Home >> Knowledge Base >> Operating Systems >> Windows >> GPO Certificate Deployment
  
GPO Certificate Deployment PDF Print E-mail
(3 votes, average 5.00 out of 5)
Written by Tom Hirt   
Thursday, 23 April 2009 14:24
Article Index
GPO Certificate Deployment
Certificate Export
Configuring the GPO
All Pages

 

Certificate Deployment Group Policy Overview

If you have ever come across one of Internet Explorer's infamous "certificate error" screens (see the image below taken from IE7), then you know how intimidating they can be (especially for your users.)

IE7 Security Alert

Certificate errors on your intranet are usually caused by one of two things:

  • An expired certificate
  • A self signed certificate that was created by an untrusted signing authority
    Note: For the purpose of this discussion, we are only talking about intranet (internal network) certificate errors.  Certificate errors on the web are an entirely different matter.

In the case of a untrusted signing authority, this may not necessarily be a problem since, as the system administrator of the site, you probably created the certificate and know it is safe.  Therefore, you may wish to suppress the default behavior of the browser to prevent your users from seeing the warnings.

Group policy offers a quick and easy way to deploy certificates in the enterprise.  Using a group policy object or GPO, we can deploy certificates to the enterprise without having to visit every machine on the network.  This guide will show you how to override your browser's certificate verification implicitly trusting the signing authority using a GPO.  Lets get to it!


 

Certificate Export

In the steps below, we will use Internet Explorer 6 to export the certificate to our local machine.  Your actual screens may differ slightly depending on your operating system and web browser, but the concepts remain the same.

  1. Using your browser, navigate to the internal address of the "problem child"

  2. When presented with the security alert, click the "View Certificate" button

    Certificate Security Alert

  3. Click the "Details" tab from the certificate information window

    Invalid Certificate

  4. Click the "Copy to File" button from the details screen

    Certificate Details - Copy to File

  5. Click the "Next" button on the certificate export wizard

    Certificate Export Wizard

  6. Select the "DER encoded binary X.509" option and click "Next"

    Certificate Export Format

  7. Provide a file name to save the certificate as on your local machine

    Certificate File to Export

  8. Click "Finish" to complete the export

    Certificate Export Confirmation

    Certificate Export Successful

 



Configuring the GPO

We will now define a new Group Policy Object (GPO) on an organizational unit (OU.)

  1. Logon to your domain controller as a domain administrator

  2. Run "dsa.msc" to open Active Directory Users and Computers

    Active Directory Users and Computers - dsa.msc

  3. Find a toplevel OU that contains the computer objects you wish to apply the GPO on.  Right click on the OU and select the "Properties" option

    Active Directory Users and Computers OU Properties

  4. Click the "Group Policy" tab from the OU properties window

    OU Properties

  5. Click the "New" button to create a new GPO

    New GPO

  6. Provide a meaningful name to your new GPO, and then click the "Edit" button

    New GPO

  7. Locate the "Trusted Root Certification Authorities" folder from the Group Policy Object Editor window

    GPO Trusted Authorities

    Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities

  8. Right click on "Trusted Root Certification Authorities" and select the "Import" option

    GPO Trusted Authorities Import

  9. Click the "Next" button on the certificate import wizard screen

    Certificate Import Wizard

  10. Provide the location to the exported certicate from the previous section

    Certificate Import Wizard - File to Import

  11. Select the "Place all certificates in the following store" option and click "Next"

    Certificate Import Wizard - Place in Store

  12. Click "Finish" on the confirmation screen

    Certificate Import Wizard Confirmation

    Certificate Import Successful

  13. Exit the GPO editor and reboot (or perform a gpupdate) from one of the computers within the affected OU.  You should find the certificate has been installed in the browsers Trusted Root Certification Authorities.

    Trusted Authorities Internet Explorer

Nice work on installing the certificate!  From the computer you rebooted in step #13, you should be able to browse the website that had previously thrown a certificate error without reciving any warnings.  Good luck!

 

 


Add this page to your favorite website
AddThis Social Bookmark Button
Comments
Add New Search
myname  - mo |15/07/2011 07:59:25
hola :roll:
Reply | Quote
Write comment
Name:
Email:
 
Website:
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
 
:D:):(:0:shock::confused:8):lol::x:P:oops::cry::evil::twisted::roll::wink::!::?::idea::arrow:
 
Please input the anti-spam code that you can read in the image.

!joomlacomment 4.0 Copyright (C) 2009 Compojoom.com . All rights reserved."
Last Updated on Tuesday, 02 June 2009 10:46
 

Forum Activity

Согласен
Author: Cogterrit
May.18.12
Sell tablets more
Author: Cogterrit
May.18.12
Cigarettes Cheap O...
Author: Cogterrit
May.18.12
Buy tablets more
Author: Cogterrit
May.17.12
blue screen to con...
Author: boshudhadialler
May.17.12
strange text come ...
Author: boshudhadialler
May.17.12

New Additions

1.Configuring VMware vCenter with SQL Server
2.Red Hat Enterprise Linux Kernel Upgrade
3.How Do I: Import Text Files with SQL Server Integration Services?
4.How Do I: Using the HierarchyID Data Type in SQL Server 2008 to manage data hierarchies?
5.Ubuntu Kernel Upgrade Procedure

Online Stats

Guests Online: 83
Members Online: 1