Solved

Mass Addition of CA to Trusted CA List in Internet Explorer

Posted on 2007-11-19
7
1,008 Views
Last Modified: 2013-12-08
Ok, I've recently setup my companies own CA. I'm in the process of implementing a Citrix server and have chosen to use a Direct to Server deployment using SSL and so on.

The question I have is this. Is there a way via GPO or some other means for me to add my server certificate to Internet Explorers Trusted CA List without having to do it one at a time for every machine? I went through the GPO settings for Internet Explorer and nothing really jumped out at me. I also was unable to find an existing solution.

Thanks for any help.
0
Comment
Question by:Haze0830
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
ID: 20318478
Here are a couple of approaches:

(1) You can create a group policy object and import this certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities".  Link the GPO at the domain level to have it apply to all computers in the organization.

(2) You can set up a certification authority on your SBS server, deploy the CA certificate via GPO as described above, and re-sign your web site certificate with the CA.  Installing Certificate Services is somewhat complicated, but it can be convenient to centralize (and mostly automate) the process of issuing and revoking certificates.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20326835
Haze0830,

I'm a bit confused about your intent here.  I'm assuming that you are deploying your Citrix Server for EXTERNAL users access?  In that case creating a GPO won't do any good because you don't have control over their remote computer to be able to install anything, including an SSL certificate.  If you want to avoid the need for the user to do anything then you must use a 3rd Party Certificate which uses a CA that's already trusted by IE.  Also, if you are not using a 3rd Party Certificate on an SBS then you don't want to use Certificate Services because the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) will create the self-signed certificate automatically.

You can get an inexpensive 3rd party certificate that would work for this purpose though.  GoDaddy has them for $20.00 and instructions for installing it on your SBS can be found at http://sbsurl.com/ssl

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Haze0830
ID: 20327345
They're connecting via laptops that also double as their in-house workstations. Thanks for the response though. I've got it all straightened out.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:Haze0830
ID: 20327355
Also, that link you provided is dead.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 20331158
Here's the GoDaddy site: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979
You'll want the Standard SSL package.

At the bottom of the page are the FAQs.
You will want the "How do I install my Web Server Certificate?" link.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20332749
I've fixed the link so it works now.

"They're connecting via laptops that also double as their in-house workstations"

If that's the case, then you definitely don't need a 3rd Party Certificate, and my comment still stands.  If you had run the CEICW and properly joined those laptops to the domain using http://<servername>/connectcomputer then the domain's self-signed certificate would have been installed automatically.  It seems as though you are just making much more work for yourself than is necessary.

If you didn't join them using ConnectComputer you would correct that by following the steps I've outlined here:
http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Haze0830
ID: 20337806
Right. I had already figured that out for myself. The certs were installed as a trusted CA automatically as they should have been. Initially I had tested the installation with non-domain PC's and had to manually add the certs.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now