• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 811
  • Last Modified:

Rolling out SSL certificate

Hello,

I have sonicwall firewall and if i enable DPI - SSL it then rewirtes the certificate and it doesnt match the original, so i was wondering is there a way through active directory to roll out the sonicwall certificate as a trusted certificate?

Thank you

0
morlauskas
Asked:
morlauskas
  • 8
  • 6
1 Solution
 
MarkieSCommented:
Yep!

Import your certificate into a new policy under:

Computer Settings, Windows Settings, Security Settings, Public Key Policies/Trusted Root Certification Authorities - right click and import.  

Then simply locate your certificate

Then link to GPO to the OU you want..

cheers
0
 
morlauskasAuthor Commented:
I added the certificate and then enforced the policy, loged off loged back on and tryed it and it didnt work. I checked gpedit.msc and seems like the policy is not enforced... any ideas?
0
 
MarkieSCommented:
Run a RSOP (Resultant Set Of Policies) on your test PC to see if it is picking up your new policy or not.

To get a RSOP - Start Run MMC, Add/Remove SnapIn - Add and choose RSOP

Close and OK takes you back to your MMC - right-click on RSOP and Generate

You can then check the Computer Settings, Windows Settings,Security Settings,Publick Key Policies/Trusted Root Certification Authorites to see if your test PC has picked up the new policy.

Gotta head home now - catch up tomorrow if no-one else can help in the meantime..

0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
MarkieSCommented:
Additionally -
Enforcing the policy only means it will break through any "blocking Inheritence" you may set and it applies over the top of policies set further down the heirachy tree..

Dont use "Enforce" unless you really need it.

On your client test PC run a "GPUPDATE / force" to get it to update it's policy

cheers
0
 
morlauskasAuthor Commented:
Thanks for you help on it so far i managed to vreate a new GPO import the certificate, but when i do gpupdate /force, it says its completed but it still doesnt roll it out :( what can be wrong with my active directory?
0
 
MarkieSCommented:
Have you done a RSOP?  It will show you what policies are being applied.
0
 
morlauskasAuthor Commented:
Yeah it shows which policies are being applied but it doesnt show me that the certificate is being applied.
0
 
MarkieSCommented:
Is the policy that contains the certificate being applied?
0
 
MarkieSCommented:
Make sure the OU you are Linking the policy to contains COMPUTERS as it's a Computer setting we are trying to apply
0
 
morlauskasAuthor Commented:
No because i cant link it to the computer uo the reason for that is because its the default computer that comes with AD and it doesnt go in it. I dont have an option to add a GPO to that UO. I hope you understand what i mean.
0
 
MarkieSCommented:
OK - We're getting somewhere.

For the Group Policy to work there are two sections.  Computers settings and User settings.

If you have a GPO that has COMPUTER settings in it, and you apply it to an OU that contains Users - nothing will happen.
If you have a GPO that has USER settings in it, and you apply it to an OU that contains Computers - nothing will happen.
(In order to make this work you have to use Loopback but ... don't go there for now!)

So you need COMPUTER settings applied to Computers and USER settings applied to users.

So you need to apply your GPO to the OU which contains the Computer account you want this to work on.

In Active Directory Users and Computers - Go to View, Advanced - does this help?

Can you move your Computer Account in Active Directory to another OU you can manage?

0
 
morlauskasAuthor Commented:
Yeah i created a new UO moved my computer to it, gpupdate /force my machine then check rsop.msc and it worked the certificate is there. Then i enabled DPI -SSL on my firewall and guess what :) it is still not trusting the certificate :) so it has rolled it out, i am now stuck on how do i get it to work. I downloaded the certificate from my firewall so i am guessing it should accept it.

Could it be something to do with autoenrolment? or maybe you have some other solution?
0
 
MarkieSCommented:
Sorry - Certificates/SSL aren't really my thing..  AD Group Policy Deployment and SCCM I'm OK on.. ;-(

Now we have it deployed via Group Policy I reckon it might be best to ask a new question - Experts will tend to ignore a question where a thread has continued so long...

Sorry I cant help further!  I wouldnt be the best person to ask! ;-)
0
 
morlauskasAuthor Commented:
Thanks for your help, now i know why some of my policies wasnt working :) and they will now :) closign and thanks for your help again
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now