Setup Server 2019 Enterprise CA 4/5: Setup Group Policy

Previous: Subordinate CA

Updated 11-12-2020: Updated filepath step 8 .

The CA Servers are now configured. Now the domain computers/servers need to trust the certificates which are created by the Subordinate Server. This is done by adding the Root CA certificate to the “Trusted Root Certification Authorities” store.  The certificate can be added in multiple ways, but the easiest way is by adding it with a Group Policy. In this example a separate policy is created on the Domain Controller in the root of the domain. This is not required but just an example on how it’s possible.


Setup Group Policy


1. Open “Group Policy Management”


2. Expand “Group Policy Management” -> “Forest: <domain>” -> “Domains” and Rightclick your domain. Select “Create a GPO in this domain, and link it here…” 


3. Enter a name for the policy for example “Root CA Distribution policy” and press “OK”


4. Select the created policy and press “Edit”


5. Go to: “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Public Key Policies” and Rightclick “Trusted Root Certification Authorities” and select “Import”


6. Press “Next” to continue


7. Press “Browse”


8. Browse to <subordinate-ca>\c$\inetpub\wwwroot\CertEnroll and select the RootCA certificate. Press “Open” to continue


9. Press “Next” to continue


10. Use the default settings and press “Next”


11. Press “Finish” to import the Root CA Certificate.


12. After some time when the import has finished a popup will appear. Press “OK” to continue


The Root CA Certificate is now distributed to all domain devices.

Next: Deploy Policy Templates


6 thoughts on “Setup Server 2019 Enterprise CA 4/5: Setup Group Policy

  1. Alex Rose

    I also have the same problem. I get a error 403 if I try to browse there via a browser and via File Explorer just get a location cannot be found. Firewall issue maybe or some form of directory browsing needs turning on?

    1. Aad Lutgert Post author

      hi simgamer13 and Alex,

      I just checked and it seems i forgot to update the location after I updated the other pages. You need to browse to “\\\c$\inetpub\wwwroot\CertEnroll” instead of “\CertEnroll”.

      best regards, Aad

  2. Jeff Scharfenberg

    Good tutorial. Only question I have is if you were to deploy the cert to say 50 domain controllers globally for LDAPS, what would be the best process to renew them in 5-10 years after the certificate expires?

  3. Ian

    Hello, Thanks for the awesome tutorial, it was a huge help!! One question, how would I reverse this step if I want to recall the Certificate that I sent out via the GPO?

    1. Aad Lutgert Post author

      Hi Ian,

      As far as I know this is not possible with GPO. The only way I can think of is by publishing a powershell script to remove the certificate.

      regards, Aad


Leave a Reply

Your email address will not be published. Required fields are marked *