Windows Server provides a certificate authority service. However, it's not clear from its documentation how (or if) the root certificate gets distributed to clients.
- Do domain member computers automatically trust the root certificate?
- If so, how and when do they get the certificate?
- Is there any user interaction required for the root certificate to be installed or trusted?
- Does the client poll Active Directory? Is it in AD DNS?
- Will it only get it during login?
- What if a domain member remotely VPNs into the LAN?
- Are there any caveats for different versions of Windows clients?
Best Answer
The method used for distribution depends on the type of CA you setup (standalone/enterprise).
For a standalone or non-microsoft CA you generally distribute this with a group policy.
See:
When you install an Enterprise certificate authority in a domain, this happens automatically.
From TechNet: Enterprise certification authorities (Archived here.)