17 August 2011

Adding certificates to your domain using a group policy

In http://fixmyitsystem.com/2011/08/rdp-rds-unexpected-server.html I referred to using a group policy to apply the Entrust trusted certificate chain to your domain.  Here is how. It is the long way round but it should be fool proof. Since you would only need to do this one it is worthwhile.

Obtain the required certificates.
There are three ways about this.

  • If you have the certificate chain correctly installed on one machine you can export it form that machine. Skip to extracting the individual certificates.
  • If you have purchased an entrust certificate there is a nice GUI wizard  process to get the certificates.  But since not everyone has purchased a certificate I will cover the third method which can be used by everyone.
  • Retrieve the certificates form the CA's site directly. This varies form CA to CA but they all should provide this in on way or another.


Installing the certificates on the local machine
Follow the following link to the Entrust support site http://www.entrust.net/knowledge-base/technote.cfm?tn=7869



This certificate contains the chain. The following will extract the individual certificates.

  • Select and copy the certificate form the site
  • Open a text file and paste the certificate
  • Save the file as EntrustChain.cer
  • Ope the MMC on the local computer and and the certificates snap-in
  • Select Computer account - Local computer
  • Expand the tree - Trusted Root Certification Authorities - Certificates
  • Right click certificates - All tasks -Import Certificate
  • Select the .cer file you created earlier
  • Select "Automatically Select the certificate store...
  • Finish the wizard


Extract the individual certificates
Because you don't want to take any chances when creating the group policy the following is recommended



  • Open the MMC on the local computer and and the certificates snap-in
  • Select Computer account - Local computer
  • Expand the tree - Trusted Root Certification Authorities - Certificates
  • Select the Entrust.net Certification Authority (2048) certificate
  • Right click the certificates - All tasks -Export
  • Select the DER... format
  • Save the file as Entrus2048.cer
Repeat the process for the Intermediary CA



  • Expand the tree - Intermediate Certification Authorities - Certificates
  • Select the Entrust Certification Authority - L1C certificate
  • Right click the certificates - All tasks -Export
  • Select the DER... format
  • Save the file as EntrusL1C.cer

Add the certificates to a group policy
This is the most important part, and what the entire article is about.
  • Open the Croup Policy management Console
  • Create or edit an existing policy (I would suggest creating a test policy first)
  • Expand to Computer configuration - Policies -Windows Settings - Security Settings - Public key Policies
  • Select Trusted Root Certification Authorities
  • Right Click - All tasks - Import
  • Select the Entrust2048.cer file created earlier
  • Place all certificates in the following Store - Trusted Root certification Authorities
  • Finish The wizard
  • Select the Intermediate Certification Authorities
  • Right Click - All tasks - Import
  • Select the EntrustL1C.cer file created earlier
  • Place all certificates in the following Store - Intermediate Certification Authorities
  • Finish The wizard

Checking the Policy setting you should see the following

  • Apply the croup policy.
  • Check the local computer certificates on the test machine and confirm that the correct certificates are in the correct certificate stores.

Conclusion
This process will ensure that the full certificate authority chain is added to all machines that have the policy applied.  I covered how to install the Entrust certs, but the same can be done to make your private CA trusted by another company / domain etc.



No comments:

Post a Comment