3

I am planning to setup PKI for our organization as we're fed up with all of these security warnings when using self-signed certs. I want an offline root CA and two issuing CAs and I want to set that up on Linux systems.

How can I easily distribute root and identity (server) certificates to end users without explaining each of them how to install them in the browser?

Does Active Directory do that, via GPO for example? If so, is does it only support Internet Explorer? Can I do that without having to install AD CS?

Also I wonder if there is an interface for CA (GUI/web) of some kind where server admins can login and request certificates for their needs?

Hopefully, that makes any sense as I'm pretty new to PKI :) I'm very sorry, if it is all over the place on the Internet and I suck at Google'ing, but I really can't find what I need...

Alex
  • 516
  • 1
  • 7
  • 18

2 Answers2

5

Yes, you can deploy the root and intermediate CAs into Windows trust stores from AD. At least IE and Chrome browsers will pick it up from there as they use whatever comes with Windows. In Firefox you will need to have the users import the certs themselves or find a way to script it.

Thanks to @Aceth, here's a completion for the answer:

I edit the default domain policy in the group policy management console. Then under Computer Configuration / Policies / Security Settings / Public Key Policies / Trusted Root Certification Authorities

Right click and import your Root and intermediate certs.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
  • But if you want to autoenroll certificates to your users, you will need to install a Microsoft AD CS. Anyway, you can use a linux based offline CA, put the CD and the encrypted USB stick with the root CAs priv key in the safe an enroll an intermediate MS CA. (or use an HSM :) – cornelinux Aug 08 '14 at 19:29
  • In Firefox you can add or remove user trusted CA certs with [MozillaGPO module](https://mozillagpo.sourceforge.io/usage.html#configuring-application-trusted-ca-management). – Slipeer Dec 29 '17 at 07:09
2

Just to elaborate further on Florin's answer ...

I edit the default domain policy in the group policy management console. Then under Computer Configuration / Policies / Security Settings / Public Key Policies / Trusted Root Certification Authorities

Right click and import your Root and intermediate certs.

Rhys Evans
  • 919
  • 8
  • 23