I have investigated this but have been unable to find a definitive answer to my question. I have never used certificate services in active directory before so am unsure of its possible usage/implentations.
Quick background: we are looking to set up a remote desktop farm with a gateway server to allow remote users to connect to the farm without a VPN. In order for users to connect, we need to have a trusted certificate installed for the gateway server.
In my test environment, I have used a self signed certificate and manually installed to trusted root certificate authorities, which works great! This means any device we install this cert on can connect.
Obviously we don't want to have to do this manually, so the way I see it the best thing is to purchase a cert from someone like VeriSign. I thought about certificate services in AD, and wondered if we could simply create our own cert using an internal certifiation authority.
Essentially my question boils down to: does a computer joined to the domain automatically trust certificates issued by a CA on the same domain, or would they still need to be manually installed on each client device? Is there anyway we could use this feature of Windows Server to save us some money on certs?
Best Answer
Typically, the root certificate for your internal PKI is distributed via GPO to all clients. This makes it "automatic"