Having SSL Cert trouble with group policies applied.

pensiongenius used Ask the Experts™

I am having some trouble tracking down a problem with SSL Certs (specifically EV) with computers that have group policies applied.

Basically I feel that Group Policies are prohibiting IE8 from importing the certificates to show that a site has Extended Validation enabled.  They are able to get to the websites and correctly show the SSL lock in IE.  But they aren't able to view the 'green' address bar.

If I remove the computer from group policies and reboot, then try visiting a site, gmail.com for example, the address bar turns green and notes the extended validation.

If I then switch the computer back to a group policy it will correctly show the EV cert.  But not until it is removed from group policies and can hit the website to obtain the cert and finally put back behind a group policy.

I have checked the few settings that group policies can configure but they never seem to enable what I am looking for.

I am mainly focusing in -> Computer Config -> Policies -> Windows Settings -> Security Settings -> Public Key Policies

Our environment is as follows.. Windows Server 2008 Domain / Active Directory / Group Policies.  Clients are XP (sp3) and 7.  IE8 is the browser in question.  We do use an internet proxy (Postini) but have tested on and off the proxy and that doesn't seem to make a difference.

So I just cannot figure out what the problem is.  Any help would be much appreciated.  Thank you.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ParanormasticCryptographic Engineer

Probably have windows update restricted.  Root certs are updated 'as-needed' via windows update.  Since many EV cert issuing roots are newer they may not already be pre-populated and need to be downloaded.


I gave a look through WSUS and we do have the Root Cert updates approved for the November 2009 Root Certificate.  Best I can tell that is the most recent one per http://support.microsoft.com/kb/931125.

I verfied my test machine was listed as having that update installed and it was.

I also performed a manual Windows Update while the machine was off Group Policy and did not find any Root Cert updates waiting for it.

I was hoping before that something along those lines would fix it as well.
Cryptographic Engineer
Try adding the code signing cert to the Trusted Publishers store in Certficates MMC (local computer). You can right-click and drag to copy from another store if you already have it installed.  You can deploy via GPO for the rest of your clients.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial