I've set up my own root authority for SSL and I'm looking for advice on how to distribute my public authority certificate for trust within my internal network. My clients are running Windows 11 and are part of an Active Directory domain. I tried using Group Policy (GPO) to deploy the certificate via SYSVOL to avoid creating a separate network share, but it didn't seem to work. The settings I used were in the machine certificate section. I prefer not to use Windows CA since it's bundled with IIS, which I'm not a fan of. OpenSSL feels more straightforward for generating and securely storing certificates.
3 Answers
The easiest way to deploy your certificate is definitely through GPO. Just make sure you are importing the certificate correctly. You should also ensure that all systems can access the CRL (Certificate Revocation List) to avoid any trust issues later on.
What’s a CRL? I’ve heard it mentioned but not sure how it fits into this.
You mentioned avoiding IIS, but consider this: using a Windows CA does simplify a lot of processes for certificate handling. Sometimes personal preferences can complicate your job. Just something to think about!
To deploy your root certificate, you can use Group Policy to add it to the trusted root certificate store for all domain machines. Go to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies, and import your certificate there. This should do the trick!
The CRL is a list of certificates that have been revoked by the CA. It'll help clients verify that a certificate is still valid.