Previous: Subordinate CA
Updated 11-12-2020: Updated filepath step 8 .
The CA Servers are now configured. Now the domain computers/servers need to trust the certificates which are created by the Subordinate Server. This is done by adding the Root CA certificate to the “Trusted Root Certification Authorities” store. The certificate can be added in multiple ways, but the easiest way is by adding it with a Group Policy. In this example a separate policy is created on the Domain Controller in the root of the domain. This is not required but just an example on how it’s possible.
Setup Group Policy
1. Open “Group Policy Management”
2. Expand “Group Policy Management” -> “Forest: <domain>” -> “Domains” and Rightclick your domain. Select “Create a GPO in this domain, and link it here…”
3. Enter a name for the policy for example “Root CA Distribution policy” and press “OK”
4. Select the created policy and press “Edit”
5. Go to: “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Public Key Policies” and Rightclick “Trusted Root Certification Authorities” and select “Import”
6. Press “Next” to continue
7. Press “Browse”
8. Browse to <subordinate-ca>\c$\inetpub\wwwroot\CertEnroll and select the RootCA certificate. Press “Open” to continue
9. Press “Next” to continue
10. Use the default settings and press “Next”
11. Press “Finish” to import the Root CA Certificate.
12. After some time when the import has finished a popup will appear. Press “OK” to continue
The Root CA Certificate is now distributed to all domain devices.
Next: Deploy Policy Templates
In step 8, the location \CertEnroll isn’t available on my setup following your instructions.
I also have the same problem. I get a error 403 if I try to browse there via a browser and via File Explorer just get a location cannot be found. Firewall issue maybe or some form of directory browsing needs turning on?
hi simgamer13 and Alex,
I just checked and it seems i forgot to update the location after I updated the other pages. You need to browse to “\\\c$\inetpub\wwwroot\CertEnroll” instead of “ \CertEnroll”.
best regards, Aad
Good tutorial. Only question I have is if you were to deploy the cert to say 50 domain controllers globally for LDAPS, what would be the best process to renew them in 5-10 years after the certificate expires?
Hello, Thanks for the awesome tutorial, it was a huge help!! One question, how would I reverse this step if I want to recall the Certificate that I sent out via the GPO?
Hi Ian,
As far as I know this is not possible with GPO. The only way I can think of is by publishing a powershell script to remove the certificate.
regards, Aad