In this tutorial, we will see how to deploy a certificate on computers using a GPO.
Some cases where you may need to distribute a certificate:
- Internal Certification Authority
- Appliance certificate for SSL filtering
- Self-signed web server / rds certificate
Operation to be performed on the server where the certificate is installed with the private key.
1. Open the Certificate Management MMC on the local computer and go to the store where the certificate is stored.
2. Select certificate 1, right click on it and go to All Tasks 2 > Export … 3.
3. When the wizard opens, click Next 1.
4. Select No, do not export private key 1 then click Next 2.
5. Select one of the two X.509 formats 1 and click the Next button 2.
The certificate must be with the extension .cer
6. Click the Browse button … 1.
7. Choose folder 1, enter the name of file 2 and press Save 3.
8. Validate the path and file name 1 and click Next 2.
9. Click the Finish button 1 to close the wizard.
10. Check the creation of the file.
11. Place the certificate in a location accessible by your domain control.
Creating the Policy (GPO) to Deploy a Certificate
1. Open the Group Policy Management Console.
2. Right-click on OU 1 then click on Create a GPO in this area, and link it here … 2.
3. Name strategy 1 and click OK 2.
4. Right-click on Strategy 1 and click Edit … 2.
5. Go to the Trusted Root Certification Authorities 1 setting found in: Computer Configuration> Policies> Windows Settings> Security Settings> Public Key Policy. Right click 2 and click Import 3.
6. When launching the wizard, click on Next 1.
7. Click Browse … 1.
8. Go to file location 1, select certificate 2 and click Open 3.
9. Back on the wizard click Next 1.
10. Not being able to select the store, click Next 1.
11. Click Finish 1 to import the certificate.
12. Click OK 1 to confirm the import.
13. The imported certificate should be displayed at Parameters 1.
14. Settings of the strategy:
1. Restart your client computer.
2. Log in to the computer.
3. Open the certificate management MMC on the local computer and go to Trusted Root Certification Authority 1 and check for the presence of certificate 2.