Solved

Rolling out SSL certificate

Posted on 2010-09-21
14
739 Views
Last Modified: 2012-05-10
Hello,

I have sonicwall firewall and if i enable DPI - SSL it then rewirtes the certificate and it doesnt match the original, so i was wondering is there a way through active directory to roll out the sonicwall certificate as a trusted certificate?

Thank you

0
Comment
Question by:morlauskas
  • 8
  • 6
14 Comments
 
LVL 8

Expert Comment

by:MarkieS
ID: 33725812
Yep!

Import your certificate into a new policy under:

Computer Settings, Windows Settings, Security Settings, Public Key Policies/Trusted Root Certification Authorities - right click and import.  

Then simply locate your certificate

Then link to GPO to the OU you want..

cheers
0
 

Author Comment

by:morlauskas
ID: 33726040
I added the certificate and then enforced the policy, loged off loged back on and tryed it and it didnt work. I checked gpedit.msc and seems like the policy is not enforced... any ideas?
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 33726095
Run a RSOP (Resultant Set Of Policies) on your test PC to see if it is picking up your new policy or not.

To get a RSOP - Start Run MMC, Add/Remove SnapIn - Add and choose RSOP

Close and OK takes you back to your MMC - right-click on RSOP and Generate

You can then check the Computer Settings, Windows Settings,Security Settings,Publick Key Policies/Trusted Root Certification Authorites to see if your test PC has picked up the new policy.

Gotta head home now - catch up tomorrow if no-one else can help in the meantime..

0
 
LVL 8

Expert Comment

by:MarkieS
ID: 33726128
Additionally -
Enforcing the policy only means it will break through any "blocking Inheritence" you may set and it applies over the top of policies set further down the heirachy tree..

Dont use "Enforce" unless you really need it.

On your client test PC run a "GPUPDATE / force" to get it to update it's policy

cheers
0
 

Author Comment

by:morlauskas
ID: 33726421
Thanks for you help on it so far i managed to vreate a new GPO import the certificate, but when i do gpupdate /force, it says its completed but it still doesnt roll it out :( what can be wrong with my active directory?
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 33732979
Have you done a RSOP?  It will show you what policies are being applied.
0
 

Author Comment

by:morlauskas
ID: 33733008
Yeah it shows which policies are being applied but it doesnt show me that the certificate is being applied.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 8

Expert Comment

by:MarkieS
ID: 33733022
Is the policy that contains the certificate being applied?
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 33733034
Make sure the OU you are Linking the policy to contains COMPUTERS as it's a Computer setting we are trying to apply
0
 

Author Comment

by:morlauskas
ID: 33733037
No because i cant link it to the computer uo the reason for that is because its the default computer that comes with AD and it doesnt go in it. I dont have an option to add a GPO to that UO. I hope you understand what i mean.
0
 
LVL 8

Accepted Solution

by:
MarkieS earned 500 total points
ID: 33733083
OK - We're getting somewhere.

For the Group Policy to work there are two sections.  Computers settings and User settings.

If you have a GPO that has COMPUTER settings in it, and you apply it to an OU that contains Users - nothing will happen.
If you have a GPO that has USER settings in it, and you apply it to an OU that contains Computers - nothing will happen.
(In order to make this work you have to use Loopback but ... don't go there for now!)

So you need COMPUTER settings applied to Computers and USER settings applied to users.

So you need to apply your GPO to the OU which contains the Computer account you want this to work on.

In Active Directory Users and Computers - Go to View, Advanced - does this help?

Can you move your Computer Account in Active Directory to another OU you can manage?

0
 

Author Comment

by:morlauskas
ID: 33733149
Yeah i created a new UO moved my computer to it, gpupdate /force my machine then check rsop.msc and it worked the certificate is there. Then i enabled DPI -SSL on my firewall and guess what :) it is still not trusting the certificate :) so it has rolled it out, i am now stuck on how do i get it to work. I downloaded the certificate from my firewall so i am guessing it should accept it.

Could it be something to do with autoenrolment? or maybe you have some other solution?
0
 
LVL 8

Expert Comment

by:MarkieS
ID: 33733223
Sorry - Certificates/SSL aren't really my thing..  AD Group Policy Deployment and SCCM I'm OK on.. ;-(

Now we have it deployed via Group Policy I reckon it might be best to ask a new question - Experts will tend to ignore a question where a thread has continued so long...

Sorry I cant help further!  I wouldnt be the best person to ask! ;-)
0
 

Author Comment

by:morlauskas
ID: 33733261
Thanks for your help, now i know why some of my policies wasnt working :) and they will now :) closign and thanks for your help again
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now