Deploying internal certificate via GPO - will this only work for IE?

group-policy ssl-certificate certificate-authority certificate
11,075

It will make Windows any clients joined to your domain trust your certificate authority as a Trusted Root CA, so any certificates your CA issues are automatically trusted by your computers. Anything that asks Windows if a certificate is trusted will trust the root certificate, but not all browsers do this.

For example, Internet Explorer will trust the certificate, as will Outlook (for example an Exchange AutoDiscover certificate) however Firefox does not trust the certificate and holds its own list of trusted certificates. It all depends on individual browser implementation I'm afraid.

Normally you can import trusted root certificates into an application if it uses its own list of trusted certificates, but again this is implementation dependant.

Share:
11,075

Related videos on Youtube

zam6ak
Author by

zam6ak

Updated on September 17, 2022

Comments

  • zam6ak
    zam6ak over 1 year

    I am contemplating adding AD CA role to our server and using GPO to add a self signed, trusted certificate to all internal clients (to ease testing)... Some of the related questions regarding this are:

    My question is, will using GPO to "push" self signed cert only work for Internet Explorer or will it work for any browser from clients? Also, will it allow client trusts in case of non-browser applications (such as web service clients)?

  • zam6ak
    zam6ak over 13 years
    :( I was afraid this may be the case...I was hoping there would be a way where any internal client would not be prompted with invalid cert dialog but it seems like the only way to do so it to actually buy a cert from CA that is in the trust chain which already exists in all (or most) browsers...
  • Ben Pilbrow
    Ben Pilbrow over 13 years
    Yeah I'm afraid so. We have an enterprise root CA securing some intranet resources and I know the pain this causes with browsers other than IE. Unfortunately, like you said the only real solution is to get a certificate signed by a root CA which is trusted by all major browsers.
  • ThatGraemeGuy
    ThatGraemeGuy over 13 years
    Not strictly correct. Yes, IE any many other applications will trust your internal CA and any certs it issues, but there are apps that maintain their own list of trusted roots, notably Firefox.
  • CarloBaldini
    CarloBaldini over 13 years
    So I have learned today :-) Although I wonder how unique Firefox is in this regard. Chrome certainly uses the computer's Certificate store.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how do I covert a certificate with extension .cer to .asc
Cannot issue Computer cert to standalone computer from my ECA
How to make Apache trust a client certificate using an unknown CA, without validating the CA
How do I issue multiple certificates for the same Common Name?
Install a root certificate in CentOS 6
Configuring client certificate authentication in apache
Enable Certificate Enrollment Policy and Request a Cert using PowerShell
Is this SSL certificate chain broken and how to fix it?
Cost of getting in-house certificate authority trusted
IIS 7.5 Client certificate authentication