Solved

Mass Addition of CA to Trusted CA List in Internet Explorer

Posted on 2007-11-19
7
1,011 Views
Last Modified: 2013-12-08
Ok, I've recently setup my companies own CA. I'm in the process of implementing a Citrix server and have chosen to use a Direct to Server deployment using SSL and so on.

The question I have is this. Is there a way via GPO or some other means for me to add my server certificate to Internet Explorers Trusted CA List without having to do it one at a time for every machine? I went through the GPO settings for Internet Explorer and nothing really jumped out at me. I also was unable to find an existing solution.

Thanks for any help.
0
Comment
Question by:Haze0830
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
ID: 20318478
Here are a couple of approaches:

(1) You can create a group policy object and import this certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities".  Link the GPO at the domain level to have it apply to all computers in the organization.

(2) You can set up a certification authority on your SBS server, deploy the CA certificate via GPO as described above, and re-sign your web site certificate with the CA.  Installing Certificate Services is somewhat complicated, but it can be convenient to centralize (and mostly automate) the process of issuing and revoking certificates.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20326835
Haze0830,

I'm a bit confused about your intent here.  I'm assuming that you are deploying your Citrix Server for EXTERNAL users access?  In that case creating a GPO won't do any good because you don't have control over their remote computer to be able to install anything, including an SSL certificate.  If you want to avoid the need for the user to do anything then you must use a 3rd Party Certificate which uses a CA that's already trusted by IE.  Also, if you are not using a 3rd Party Certificate on an SBS then you don't want to use Certificate Services because the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email) will create the self-signed certificate automatically.

You can get an inexpensive 3rd party certificate that would work for this purpose though.  GoDaddy has them for $20.00 and instructions for installing it on your SBS can be found at http://sbsurl.com/ssl

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Haze0830
ID: 20327345
They're connecting via laptops that also double as their in-house workstations. Thanks for the response though. I've got it all straightened out.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 2

Author Comment

by:Haze0830
ID: 20327355
Also, that link you provided is dead.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 20331158
Here's the GoDaddy site: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979
You'll want the Standard SSL package.

At the bottom of the page are the FAQs.
You will want the "How do I install my Web Server Certificate?" link.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20332749
I've fixed the link so it works now.

"They're connecting via laptops that also double as their in-house workstations"

If that's the case, then you definitely don't need a 3rd Party Certificate, and my comment still stands.  If you had run the CEICW and properly joined those laptops to the domain using http://<servername>/connectcomputer then the domain's self-signed certificate would have been installed automatically.  It seems as though you are just making much more work for yourself than is necessary.

If you didn't join them using ConnectComputer you would correct that by following the steps I've outlined here:
http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 
LVL 2

Author Comment

by:Haze0830
ID: 20337806
Right. I had already figured that out for myself. The certs were installed as a trusted CA automatically as they should have been. Initially I had tested the installation with non-domain PC's and had to manually add the certs.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now