Deploy Self signed Certificate with Group Policy – SBS 2008

Situation:

I have one Linux Red Hat server and deployed Active Directory authentication from MS Windows SBS 2008 server. Because users are accessing some network resources on the Linux server and Active Directory authentication is requested, I have decided to deploy SSL for the web resources on Linux server so no password is in plain text. Obviously the Linux SSL is created with Self signed certificate.

Now users getting well know error in browsers (IE/Firefox) that the certificate is not valid … and this is OK as the client computer does not recognize the certificate. In order to make this annoyance disappear and make it easy for users, I have created Group Policy and deployed the self signed certificate to each client. The certificate is now placed and stored in each computer certificate store under Trusted Root Certification Authority and the browsers have no issue anymore with the certificate.

How to do this:

  1. Access the link in Internet Explorer over SSL from client computer and once you are on the page, click on the certificate error next to address bar, select View Certificate
  2. The Certificate window will open, click Install certificate, click few times NEXT,NEXTand FINISH. Click OK on the certificate popup window.
  3. Now go to your toolbar in Internet Explorer, click Tools |Internet Options and on the top select tab Content and click on button Certificates
  4. You have now the window Certificates in front of you, click on the tab Intermediate Certificate Authority, scroll down and locate your certificate
  5. Select your certificate and click on EXPORT button, wizard screen will open and clickNEXT, more options are presented, select the default DER Encoded binary X.509 (.CER) and click NEXT, Browse for location (folder) where you want to save the certificate and click NEXT
  6. Complete the export and now you should have the certificate file sitting on your desktop or inside the folder you have selected
  7. Copy the file to shared folder on the server … in my case I have copied the certificate to my IT share on SBS 2008
  8. In SBS 2008, go to START | ALL PROGRAMS
    | Administrative Tools and right click on Group Policy Management and select Run as Administrator
  9. Group Policy Management console will open on your screen, now scroll/drill down to OU –SBS Computers under MyBusiness, right click on the SBSComputers OU and selectCreate a GPO in this domain and link it here
  10. In the popup window enter name for the GPO – I have named it “Linux SelfSigned Certificate” and click OK
  11. It will create a new GPO with the name you have chosen, right click on the new object and select EDIT
  12. Now under Computer Configuration navigate to Policies | Windows Settings|Security Settings | Public Key Policies and right click on Trusted Root Certification Authority

  1. You have right clicked on Trusted Root Certification Authority, select Import, now navigate to the shared folder where you have stored the exported certificate, click on the certificate and complete the import
  2. Once the import is completed, you can close down the Group Policy Editor
  3. Now on the toolbar on Group Policy Management Console click Refresh button so you can see the new GPO listed, Right click on the GPO and select ENFORCED – now the GPO is being deployed and distributed to your client computers on the network

Leave a Reply