Rolling out SSL certificate

Hello,

I have sonicwall firewall and if i enable DPI - SSL it then rewirtes the certificate and it doesnt match the original, so i was wondering is there a way through active directory to roll out the sonicwall certificate as a trusted certificate?

Thank you

morlauskasAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MarkieSConnect With a Mentor Commented:
OK - We're getting somewhere.

For the Group Policy to work there are two sections.  Computers settings and User settings.

If you have a GPO that has COMPUTER settings in it, and you apply it to an OU that contains Users - nothing will happen.
If you have a GPO that has USER settings in it, and you apply it to an OU that contains Computers - nothing will happen.
(In order to make this work you have to use Loopback but ... don't go there for now!)

So you need COMPUTER settings applied to Computers and USER settings applied to users.

So you need to apply your GPO to the OU which contains the Computer account you want this to work on.

In Active Directory Users and Computers - Go to View, Advanced - does this help?

Can you move your Computer Account in Active Directory to another OU you can manage?

0
 
MarkieSCommented:
Yep!

Import your certificate into a new policy under:

Computer Settings, Windows Settings, Security Settings, Public Key Policies/Trusted Root Certification Authorities - right click and import.  

Then simply locate your certificate

Then link to GPO to the OU you want..

cheers
0
 
morlauskasAuthor Commented:
I added the certificate and then enforced the policy, loged off loged back on and tryed it and it didnt work. I checked gpedit.msc and seems like the policy is not enforced... any ideas?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
MarkieSCommented:
Run a RSOP (Resultant Set Of Policies) on your test PC to see if it is picking up your new policy or not.

To get a RSOP - Start Run MMC, Add/Remove SnapIn - Add and choose RSOP

Close and OK takes you back to your MMC - right-click on RSOP and Generate

You can then check the Computer Settings, Windows Settings,Security Settings,Publick Key Policies/Trusted Root Certification Authorites to see if your test PC has picked up the new policy.

Gotta head home now - catch up tomorrow if no-one else can help in the meantime..

0
 
MarkieSCommented:
Additionally -
Enforcing the policy only means it will break through any "blocking Inheritence" you may set and it applies over the top of policies set further down the heirachy tree..

Dont use "Enforce" unless you really need it.

On your client test PC run a "GPUPDATE / force" to get it to update it's policy

cheers
0
 
morlauskasAuthor Commented:
Thanks for you help on it so far i managed to vreate a new GPO import the certificate, but when i do gpupdate /force, it says its completed but it still doesnt roll it out :( what can be wrong with my active directory?
0
 
MarkieSCommented:
Have you done a RSOP?  It will show you what policies are being applied.
0
 
morlauskasAuthor Commented:
Yeah it shows which policies are being applied but it doesnt show me that the certificate is being applied.
0
 
MarkieSCommented:
Is the policy that contains the certificate being applied?
0
 
MarkieSCommented:
Make sure the OU you are Linking the policy to contains COMPUTERS as it's a Computer setting we are trying to apply
0
 
morlauskasAuthor Commented:
No because i cant link it to the computer uo the reason for that is because its the default computer that comes with AD and it doesnt go in it. I dont have an option to add a GPO to that UO. I hope you understand what i mean.
0
 
morlauskasAuthor Commented:
Yeah i created a new UO moved my computer to it, gpupdate /force my machine then check rsop.msc and it worked the certificate is there. Then i enabled DPI -SSL on my firewall and guess what :) it is still not trusting the certificate :) so it has rolled it out, i am now stuck on how do i get it to work. I downloaded the certificate from my firewall so i am guessing it should accept it.

Could it be something to do with autoenrolment? or maybe you have some other solution?
0
 
MarkieSCommented:
Sorry - Certificates/SSL aren't really my thing..  AD Group Policy Deployment and SCCM I'm OK on.. ;-(

Now we have it deployed via Group Policy I reckon it might be best to ask a new question - Experts will tend to ignore a question where a thread has continued so long...

Sorry I cant help further!  I wouldnt be the best person to ask! ;-)
0
 
morlauskasAuthor Commented:
Thanks for your help, now i know why some of my policies wasnt working :) and they will now :) closign and thanks for your help again
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.