2

I am contemplating adding AD CA role to our server and using GPO to add a self signed, trusted certificate to all internal clients (to ease testing)... Some of the related questions regarding this are:

My question is, will using GPO to "push" self signed cert only work for Internet Explorer or will it work for any browser from clients? Also, will it allow client trusts in case of non-browser applications (such as web service clients)?

zam6ak
  • 155
  • 1
  • 2
  • 8

2 Answers2

3

It will make Windows any clients joined to your domain trust your certificate authority as a Trusted Root CA, so any certificates your CA issues are automatically trusted by your computers. Anything that asks Windows if a certificate is trusted will trust the root certificate, but not all browsers do this.

For example, Internet Explorer will trust the certificate, as will Outlook (for example an Exchange AutoDiscover certificate) however Firefox does not trust the certificate and holds its own list of trusted certificates. It all depends on individual browser implementation I'm afraid.

Normally you can import trusted root certificates into an application if it uses its own list of trusted certificates, but again this is implementation dependant.

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
  • :( I was afraid this may be the case...I was hoping there would be a way where **any** internal client would not be prompted with invalid cert dialog but it seems like the only way to do so it to actually buy a cert from CA that is in the trust chain which already exists in all (or most) browsers... – zam6ak Dec 08 '10 at 14:40
  • Yeah I'm afraid so. We have an enterprise root CA securing some intranet resources and I know the pain this causes with browsers other than IE. Unfortunately, like you said the only real solution is to get a certificate signed by a root CA which is trusted by all major browsers. – Ben Pilbrow Dec 08 '10 at 14:44
0

Trust is computer-wide, so it will be valid for uses other than IE (depending on the type of cert). After you create the CA you can deploy the root certificate via a GPO: How do I deploy an internal certificate authority?

CarloBaldini
  • 583
  • 2
  • 8
  • Not strictly correct. Yes, IE any many other applications will trust your internal CA and any certs it issues, but there are apps that maintain their own list of trusted roots, notably Firefox. – ThatGraemeGuy Dec 08 '10 at 15:04
  • So I have learned today :-) Although I wonder how unique Firefox is in this regard. Chrome certainly uses the computer's Certificate store. – CarloBaldini Dec 08 '10 at 15:40