Distribute Certificates to Client Computers by Using Group Policy

Applies To: Windows Server 2012

You can use the following procedure to push down the appropriate Secure Sockets Layer (SSL) certificates (or equivalent certificates that chain to a trusted root) for account federation servers, resource federation servers, and Web servers to each client computer in the account partner forest by using Group Policy.

Membership in Domain Admins or Enterprise Admins, or equivalent, in Active Directory Domain Services (AD DS) is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
  2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
  3. Right-click the GPO, and then click Edit.
  4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
  5. On the Welcome to the Certificate Import Wizard page, click Next.
  6. On the File to Import page, type the path to the appropriate certificate files (for example, \\fs1\c$\fs1.cer), and then click Next.
  7. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
  8. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
  9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.
    1. Refresh by using gpupdate /force

Applies To: Windows Server 2008 R2

Certificates are important credentials. Administrators may not want to let users decide which certificates to trust and which not to trust. Often the decision to trust or not trust a particular certificate should be made by an administrator or individual who is knowledgeable about the particular certificate and its trust implications for the organization.

You can use Group Policy to distribute the following types of certificates to clients.

Type of certificate Description
Trusted Root Certification Authorities Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your own organization and Microsoft.
Enterprise Trust A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted.
Intermediate Certification Authorities Certificates issued to subordinate CAs.
Trusted Publishers Certificates from CAs that are trusted.
Untrusted Certificates Certificates that you have explicitly decided not to trust because they are no longer valid for their intended purpose or because they are from a source that domain clients should not trust.
Trusted People Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To add certificates to the Trusted Root Certification Authorities store for a domain

  1. Click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
  3. Right-click the Default Domain Policy GPO, and then click Edit.
  4. In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  5. Right-click the Trusted Root Certification Authorities store.
  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.
  7. Refresh by using gpupdate /force

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s