Installing SSL cert for all workstations in domain

Question

We have a fax server only accessible internally on our network, say address 10.10.10.2. Many of our employees use this fax server daily, so I created a DNS entry with an easy name, like fax.company.com, and that works great. The fax server has the ability to communicate over SSL and has the ability to generate a SSL cert. I generated then copied this SSL cert over to our domain controller, and added it to the Trusted Root Certificate Store following these instructions. However, when navigating to fax.company.com, users are still prompted with the browser warning of an untrusted connection. My end goal is to have our domain users navigate to fax.company.com and for the connection to be trusted, and thus the users are not presented with the browser warning.

I've been googling and researching and can't seem to find out exactly where to install this certificate to make it so when users navigate to fax.company.com, the browser will recognize this certificate and trust it, and thus not warn them. The domain controller runs Windows Server 2012. The fax server serves it's own web interface, so IIS is not a factor in this situation (i.e. installing the cert in IIS shouldn't resolve this issue, as IIS on the domain controller isn't serving the content).

I haven't restarted the domain controller as I don't think that would be necessary...or is it? Maybe it's that simple? I've tried clearing cache and restarting my computer but I still receive the browser untrusted connection warning.

Any help would be much appreciated. Thanks!

If the fax server is accessible only internally why do you need to use SSL at all? — joeqwerty, Aug 26 '14 at 17:48
@joeqwerty The CEO or CFO might not be interested in someone eavesdropping all of their faxin'. — Mathias R. Jessen, Aug 26 '14 at 17:53

score 3 · Accepted Answer · answered Aug 26 '14 at 17:49

Installing the certificate as a Trusted Root Certification Authority on the domain controller doesn't really do anything for the clients. They still don't have it in their stores.

You can distribute the certificate using a GPO as described in this technet article:

Click Start, point to Administrative Tools, and then click Group Policy Management.
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
Right-click the Default Domain Policy GPO, and then click Edit.
In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
Right-click the Trusted Root Certification Authorities store.
Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

If only a subset of your client should trust the certificate, create a new GPO and target them alone

score 0 · Answer 2 · answered Aug 26 '14 at 17:49

All you've done is ensure that the domain controller will trust the SSL cert from this machine. You need to use a GPO to effectively do the same thing for all workstations in the domain, or implement a PKI, probably using AD CS.

Or use a public cert from a commercial Certificate Authority, which would be wise if your users are not employees of your company.

Installing SSL cert for all workstations in domain

2 Answers2