Does a domain computer trust certs from domain CA

ssl-certificate remote-desktop certificate-authority ad-certificate-services remote-desktop-services
18,097

Solution 1

Essentially my question boils down to: does a computer joined to the domain automatically trust certificates issued by a CA on the same domain, or would they still need to be manually installed on each client device?

Typically, the root certificate for your internal PKI is distributed via GPO to all clients. This makes it "automatic"

Solution 2

Essentially my question boils down to: does a computer joined to the domain automatically trust certificates issued by a CA on the same domain, or would they still need to be manually installed on each client device?

Clients will not trust certificates from an internal CA automatically, no.

That said, there's no need to distribute the certificate manually, because it can be done by GPO. The Technet "guide" on this process is here, and there's a lot more you can do with GPOs and an internal Certificate Authority than just that. For example, we use ours to distribute certificates to allow automagical wireless connectivity with WPA2-enterprise, make our clients trust all the SSL services in our environments (printers, out-of-band management, even our backup software) so users don't get certificate warnings, and more.

Anyway, in the Group Policy Management Console, head to:

Computer Configuration -> Windows Settings -> Security Setting -> Public Key Policies -> Trusted Publishers and add your cert to the "Trusted Root Certification Authorities" store, and you're good to go with what you want to do.

Solution 3

I know this is old, but for the sake of clarification for future researchers:

An enterprise certification authority that is installed into an AD forest will automatically publish the CA's certificate to domain members via Active Directory, not by GPO. Although you can distribute certificates via GPO, you do not need to for enterprise CA's (and probably shouldn't for the enterprise CAs as it will result in duplicate certs for the CA in your Trusted Root Certification Authorities store)

Standalone CA's do not distribute certs automatically via AD, but you can publish them in AD manually. See: https://technet.microsoft.com/en-us/library/cc731612.aspx

These published certificates are stored in the container CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=com

Share:
18,097

Related videos on Youtube

James Edmonds
Author by

James Edmonds

Updated on September 18, 2022

Comments

  • James Edmonds
    James Edmonds almost 2 years

    I have investigated this but have been unable to find a definitive answer to my question. I have never used certificate services in active directory before so am unsure of its possible usage/implentations.

    Quick background: we are looking to set up a remote desktop farm with a gateway server to allow remote users to connect to the farm without a VPN. In order for users to connect, we need to have a trusted certificate installed for the gateway server.

    In my test environment, I have used a self signed certificate and manually installed to trusted root certificate authorities, which works great! This means any device we install this cert on can connect.

    Obviously we don't want to have to do this manually, so the way I see it the best thing is to purchase a cert from someone like VeriSign. I thought about certificate services in AD, and wondered if we could simply create our own cert using an internal certifiation authority.

    Essentially my question boils down to: does a computer joined to the domain automatically trust certificates issued by a CA on the same domain, or would they still need to be manually installed on each client device? Is there anyway we could use this feature of Windows Server to save us some money on certs?

  • James Edmonds
    James Edmonds over 10 years
    Because I am a newbie, I assume the root cert is the cert in which the CA is identified. Therefore, installing the root cert from the internal CA, means that any other certs issued by that CA are trusted?
  • HopelessN00b
    HopelessN00b over 10 years
    @Eds Yes, if you install the root CA's certificate, all subordinate certificates are trusted - including certificates issued directly by your root CA, as well as any issued by any subordinate CAs. (If you have a really big PKI environment, that becomes important.)
  • James Edmonds
    James Edmonds over 10 years
    Thanks guys, that certainly makes sense. I will try to get this implemented with our new deployment, as it does sound like it will be very beneficial. I will mark MDMarra's answer as such, only because I think he answered just before you HopelessN00b :)
  • James Edmonds
    James Edmonds over 10 years
    Thanks Hopeless, appreciate the link and location of GPO. Now I just need to investigate how to create the root cert :D

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot issue Computer cert to standalone computer from my ECA
How can I work around problems with certificate configuration in Remote Desktop Services?
How to provide a verified server certificate for Remote Desktop (RDP) connections to Windows 10
Lync Server Deploy Certificate Verification Failed
RDS Connection Broker High Availability cannot connect to database
Remote Desktop won't launch program upon user login
Chrome Crashing on Remote Desktop Server
Default browser on Windows Server 2016 Remote Desktop Session Host
how do I covert a certificate with extension .cer to .asc
Windows Server 2012 Standard RDS Access Denied for Domain Users