Solved

GPO setting to export Root and Intermediate Certificates to client machines?

Posted on 2014-09-30
2
174 Views
Last Modified: 2014-10-21
Hello there,

Please advise what is the GPO settings I need to use to exported Root and Intermediate certificates to client machines?

Thanks and Regards
0
Comment
Question by:goprasad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40353584
Group Policy has a predefined setting to push out root certs. Normally, intermediate certs need not be pushed - the authority reference field in the endpoint certificate allows the client to pull those as needed. However, if you really want to push those to a machine (for offline use, for example) then they are just registry keys. Import the intermediate locally, then search for its thumbprint (hash) value. For example;
CertificateShows the intermediate "DigiCert High Assurance CA-3" With Thumbprint selected and
RegistryShows the registry key that matches this certificate.
Exporting this allows you to embed it into the GPO; optionally, you can move between
KEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates (per-user profile certs) and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates (per-machine profile certs) by exporting in REGEDIT4 format and editing in notepad.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 40353738
When you go into Computer Configuration > Windows Settings > Security Settings > Public Key Policy   do you see Intermediate Certification Authorities.

If you do you can add the intermediate key there to push to users computers.

http://www.techrepublic.com/blog/the-enterprise-cloud/provision-an-intermediate-certificate-through-group-policy
http://technet.microsoft.com/en-us/library/cc772491.aspx
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question