Mass Addition of CA to Trusted CA List in Internet Explorer

Ok, I've recently setup my companies own CA. I'm in the process of implementing a Citrix server and have chosen to use a Direct to Server deployment using SSL and so on.

The question I have is this. Is there a way via GPO or some other means for me to add my server certificate to Internet Explorers Trusted CA List without having to do it one at a time for every machine? I went through the GPO settings for Internet Explorer and nothing really jumped out at me. I also was unable to find an existing solution.

Thanks for any help.
LVL 2
Haze0830Asked:
Who is Participating?
 
Phil_AgcaoiliCommented:
Here are a couple of approaches:

(1) You can create a group policy object and import this certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities".  Link the GPO at the domain level to have it apply to all computers in the organization.

(2) You can set up a certification authority on your SBS server, deploy the CA certificate via GPO as described above, and re-sign your web site certificate with the CA.  Installing Certificate Services is somewhat complicated, but it can be convenient to centralize (and mostly automate) the process of issuing and revoking certificates.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Haze0830,

I'm a bit confused about your intent here.  I'm assuming that you are deploying your Citrix Server for EXTERNAL users access?  In that case creating a GPO won't do any good because you don't have control over their remote computer to be able to install anything, including an SSL certificate.  If you want to avoid the need for the user to do anything then you must use a 3rd Party Certificate which uses a CA that's already trusted by IE.  Also, if you are not using a 3rd Party Certificate on an SBS then you don't want to use Certificate Services because the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) will create the self-signed certificate automatically.

You can get an inexpensive 3rd party certificate that would work for this purpose though.  GoDaddy has them for $20.00 and instructions for installing it on your SBS can be found at http://sbsurl.com/ssl

Jeff
TechSoEasy
0
 
Haze0830Author Commented:
They're connecting via laptops that also double as their in-house workstations. Thanks for the response though. I've got it all straightened out.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Haze0830Author Commented:
Also, that link you provided is dead.
0
 
Phil_AgcaoiliCommented:
Here's the GoDaddy site: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979
You'll want the Standard SSL package.

At the bottom of the page are the FAQs.
You will want the "How do I install my Web Server Certificate?" link.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I've fixed the link so it works now.

"They're connecting via laptops that also double as their in-house workstations"

If that's the case, then you definitely don't need a 3rd Party Certificate, and my comment still stands.  If you had run the CEICW and properly joined those laptops to the domain using http://<servername>/connectcomputer then the domain's self-signed certificate would have been installed automatically.  It seems as though you are just making much more work for yourself than is necessary.

If you didn't join them using ConnectComputer you would correct that by following the steps I've outlined here:
http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 
Haze0830Author Commented:
Right. I had already figured that out for myself. The certs were installed as a trusted CA automatically as they should have been. Initially I had tested the installation with non-domain PC's and had to manually add the certs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.