Setup Server 2019 Enterprise CA 4/5: Setup Group Policy

Previous: Subordinate CA


The CA Servers are now configured. Now the domain computers/servers need to trust the certificates which are created by the Subordinate Server. This is done by adding the Root CA certificate to the “Trusted Root Certification Authorities” store.  The certificate can be added in multiple ways, but the easiest way is by adding it with a Group Policy. In this example a separate policy is created on the Domain Controller in the root of the domain. This is not required but just an example on how it’s possible.


Setup Group Policy


1. Open “Group Policy Management”


2. Expand “Group Policy Management” -> “Forest: <domain>” -> “Domains” and Rightclick your domain. Select “Create a GPO in this domain, and link it here…” 


3. Enter a name for the policy for example “Root CA Distribution policy” and press “OK”


4. Select the created policy and press “Edit”


5. Go to: “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Public Key Policies” and Rightclick “Trusted Root Certification Authorities” and select “Import”


6. Press “Next” to continue


7. Press “Browse”


8. Browse to <subordinate-ca>\CertEnroll and select the RootCA certificate. Press “Open” to continue


9. Press “Next” to continue


10. Use the default settings and press “Next”


11. Press “Finish” to import the Root CA Certificate.


12. After some time when the import has finished a popup will appear. Press “OK” to continue


The Root CA Certificate is now distributed to all domain devices.

Next: Deploy Policy Templates


Leave a Reply

Your email address will not be published. Required fields are marked *