2

The group policy setting 'Turn off Automatic Root Certificates Update' prevents Windows from deleting certificates that it cannot verify.

If a third party has provided me with their own self-signed root certificate, I can see no other option but to turn off automatic root cert update, else their self-signed certificate will be deleted at some point due to group policy rules.

Is it insecure to disable this checking?

Do I have any other options? Can I set up more granular rules so that Windows will not delete the specific certificate, but will carry on updating the others I have installed?

Note:

I'm using a basic c# app to deploy the certificate, using the following code:

X509Certificate2 certificate = new X509Certificate2("trusted-root-cert.cer");
X509Store store = new X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine);

store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
store.Close();

I need to install the certificate via code, since my software is running as part of a farm of multiple machines, where it's not practical to install anything by hand.

Also, the machines are in a workgroup, NOT a domain.

dan
  • 281
  • 1
  • 2
  • 12

2 Answers2

3

As far as I'm aware, certificates deployed via Group Policy will not be removed when the Automatic Root Certificates Update runs.

I can't find a definite reference from MSFT. This is how I deploy private CA root certificates in my Customers' environments and I've had no problems with them being automatically removed. (Of course, now that I say that... >sigh<)

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks! That appears to be a manual method of installing a certificate, is there a script equivalent? – dan Oct 24 '14 at 14:36
  • I tend to think you're going to be disappointed. I'm not seeing where there's any more granular functionality to control the Automatic Root Certificate update functionality. You may be stuck writing code to look for the absence of the certificate and put it back (assuming you want to keep the automatic updates enabled). – Evan Anderson Oct 24 '14 at 14:58
2

There are two options to distribute a custom root certificate over domain members:

  1. Distribute it via Group Policies (already mentioned)

this option should be used when only specific domain members should install this certificate (as GPO supports targeting) or there are specific custom attributes.

  1. Publish it to Active Directory.

This method is used to publish root CA certificate to all AD forest members (while GPO method can be used within particular domain/site only). Also this method supports command-line (unlike GPO method):

certutil -dspublish <path\certfilename.crt> RootCA

where <path\certfilename.crt> is the path to a certificate file. Clients will download this certificate from AD during next autoenrollment trigger.

Crypt32
  • 6,639
  • 1
  • 15
  • 33