Let’s consider the peculiarities of centralized certificate deploying on the domain computers and adding them to Trusted Root Certification Authorities using Group Policy. In our case, we’ll install the self-signed Exchange certificate on client computers.
If a self-signed certificate is used on your Exchange server, the message that this certificate is untrusted and using it is insecure will appear on the client computers during the first start of Outlook.
To remove this warning, you have to add the Exchange certificate to the list of trusted system certificates on the user computer. This can be done manually (or by means of integrating the certificate to the corporate OS image), but it is easier and more effectively to install the certificate using GPO. Then the certificate will be automatically installed on all existingand and new PCs of the domain users.
First of all, you have to export the self-signed certificate from your Exchange server. To do it, run mmc.exe and add Certificates (for a local computer) snap-in.
Go to Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates
In the right-hand section, find your Exchange certificate, right click on it and select All Tasks ->Export.
In the Export Wizard, select DER encoded binary X.509 (.CER) format and specify the path to the certificate file.
So we have exported the Exchange certificate in a file, which has to be placed in the network folder and all users must have a read access to it. (If necessary, the access can be restricted by NTFS permissions or the folder can be hidden using ABE). For example, let the path to the certificate file be as follows: \\lon-fs01\GroupPolicy$\Certificates
Let’s go to creation a new policy of certificate deployment. To do it, start Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU (in our example, it is the OU containing user computers since we don’t want the certificate to be installed on servers and technological systems), and in the menu select Create a GPO in this domain and Link it here…
Specify the policy name (Install-Exchange-Certificate) and switch to edit mode.
Right-click in the right part of the window and select Import.
Specify the path to the imported certificate file, which we have placed in the network folder.
In the corresponding step of the wizard, do specify that it has to be placed in Trusted Root Certification Authorities.
The policy of certificate distribution has been created. You can target this policy on the clients using Security Filtering or WMI filtering.
Let’s test the policy by running gpupdate /force on the client. Make sure that the certificate has appeared in the trusted section of the certificate storage. It can be done either in the Manage Certificate snap-in (Trusted Root Certification Authorities->Certificates) or in the Internet Explorer settings (Internet Options -> Content ->Certificates-> Trusted Root Certification Authorities).
Now during Outlook configuration the warning of the untrusted certificate won’t appear.
Thus, we have configured the policy of automatic certificate distribution on all domain computers (on a certain container or a domain security group). The certificate will be automatically installed on all new computers without any tech support involvement.