16

Windows Server provides a certificate authority service. However, it's not clear from its documentation how (or if) the root certificate gets distributed to clients.

  • Do domain member computers automatically trust the root certificate?
    • If so, how and when do they get the certificate?
  • Is there any user interaction required for the root certificate to be installed or trusted?
  • Does the client poll Active Directory? Is it in AD DNS?
  • Will it only get it during login?
  • What if a domain member remotely VPNs into the LAN?
  • Are there any caveats for different versions of Windows clients?
wfaulk
  • 6,878
  • 7
  • 46
  • 75

3 Answers3

18

The method used for distribution depends on the type of CA you setup (standalone/enterprise).

For a standalone or non-microsoft CA you generally distribute this with a group policy.

See:

When you install an Enterprise certificate authority in a domain, this happens automatically.

From TechNet: Enterprise certification authorities (Archived here.)

When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain.

Community
  • 1
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • 1
    Using group policy implies that it only happens during login while connected to the domain, right? So someone that logs in and the connects to the domain via VPN is out of luck? – wfaulk Feb 10 '12 at 23:06
  • Kinda depends on the VPN. I haven't done since Windows 2003, but you could actually have the VPN initiated at logon, and policies/login scripts would apply. Not sure if that is possible any more, and it would be a lot less likely to work with a 3rd party VPN. – Zoredache Feb 10 '12 at 23:09
  • Login with with network for Windows 7 - http://level2it.wordpress.com/2009/11/05/log-on-using-dial-up-connection-is-gone-in-windows-7/ – Zoredache Feb 10 '12 at 23:18
  • Actually, if I'm rereading that correctly, it says that it uses GP to push the cert to a certificate store. How do clients retrieve it? Or am I misreading? – wfaulk Feb 10 '12 at 23:22
  • 1
    The Enterprise CA pushes the cert into a GPO. The machines apply the GPO, which and thus install the CA into the trusted store. I believe the Enterprise CA publishes to the 'Default Domain Policy'. – Zoredache Feb 10 '12 at 23:27
4

It's my experience that once you setup the CA and the Cert is stored in ADDS, a computer will grab it on next boot and store in the computer trusted root store. I generally put CA's in all AD domains I manage as it opens up options for using CA for all your certificate needs with out any additional work for domain member computers. This includes the Windows Server 2008 R2 SSTP VPN or L2TP IPSec which uses certificates. Traditional PPTP does not use certificates.

Slightly unrelated, but if you want people to VPN in during login, you should use GPO to push a VPN config or when you manually create the VPN on a computer check the "make available for all users" box which stores the VPN config in the public profile rather then the specific users profile. Once that's done, before login, click the switch user button (vista/7) and you'll see a new VPN icon bottom right by the shutdown button. That solves the problem of "a new user logging in without being on the network first".

Lastly, when you create the root CA, be sure it's running Windows Enterprise or the Certificate Service will be crippled (in Standard ed.) and I wouldn't make the expiration less then 10 years to save you some work in the future.

Bret Fisher
  • 3,973
  • 2
  • 21
  • 25
  • This is an old answer but obviously the "use GPO to push VPN" settings doesn't work in 2020 when everyone is already working from home and GPO is broken. – DustWolf Mar 19 '21 at 10:30
0

A standard practice is to distribute any Trusted Root certificates, including within your own domain, via Group Policy Objects (GPO). This can be done by creating a new GPO with proper linking and Security Filtering against the Domain Computers and Domain Controllers BUILTIN Security Groups. This ensures that domain joined Windows computer object's have a standardized set of Trusted Root certificates.

The GPO itself can be found in Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities and designating the correct store. Clients will then receive the policy upon restart and/or during their next GPO processing interval, which can be forced using the gpupdate /force command.

Cale Vernon
  • 321
  • 1
  • 4