We have a Win2k8 as a Domain Controller in a domain with workstations that run Windows XP. I would like to be able to install via GPO a new trusted root certificate authority certificate that I've generated myself.
I've created a GPO, imported the certificate in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificate Authorities and assign the GPO to a group of users. When I do a gpupdate /force on the workstation I can't see the certificate being imported … even if I reboot the station.
Next, thought that maybe I can do better if I create an intermediate root certificate authority directly on the DC and deploy the intermediate root certificate authority via the GPO. Generated the certificate for the intermediate authority and imported it into the same GPO under Intermediate Certifications Authorities.
Again, ran the gpupdate /force (and rebooted) and checked the workstation. Couldn't see anything either in the Imtermediate or the Root Authorities section.
After a bit of googling managed to find this MSI package Link, installed it on two workstations via a GPO and ran the gpupdate /force on the workstations and noticed that the intermediate authority certificate was installed on the workstations but the root CA wasn't.
Does anyone have any ideas what I could try next?
Thanks.
LE. Forgot to mention the Root CA is on a standalone machine, not part of the domain and which I plan to keep offline.
Best Answer
If you are using the "Computer Configuration" policy tree then it will need to be linked to an OU where the computer accounts are stored.
If you need to install the certificates into the user's certificate store then
certutilmioght help. Microsoft's documentation on certutil. Usecertutil -installcert <certfile>(I think that one can be run as a user) orcertutil -addstore -user root <cert file>in a login script. Note, I haven't tested these, the commands are straight from the helpcertutil -v -?.