Posted on February 5, 2016 · Posted in Group Policies

How to Deploy Certificate by using Group Policy

Let’s consider the peculiarities of centralized certificate deploying on the domain computers and adding them to Trusted Root Certification Authorities using Group Policy. In our case, we’ll install the self-signed Exchange certificate on client computers.

If a self-signed certificate is used on your Exchange server, the message that this certificate is untrusted and using it is insecure will appear on the client computers during the first start of Outlook. Outlook certificate warning

To remove this warning, you have to add the Exchange certificate to the list of trusted system certificates on the user computer. This can be done manually (or by means of integrating the certificate to the corporate OS image), but it is easier and more effectively to install the certificate using GPO. Then the certificate will be automatically installed on all existingand and new PCs of the domain users.

First of all, you have to export the self-signed certificate from your Exchange server. To do it, run mmc.exe and add Certificates (for a local computer) snap-in.

Certificates - mmc snap-in

Go to Certificates (Local Computer)  -> Trusted Root Certification Authorities -> Certificates

In the right-hand section, find your Exchange certificate, right click on it  and select All Tasks ->Export.

export exchange certificate

In the Export Wizard, select DER encoded binary X.509 (.CER) format and specify the path to the certificate file.

certificate export wizard

So we have exported the Exchange certificate in a file, which has to be placed in the network folder and all users must have a read access to it. (If necessary, the access can be restricted by NTFS permissions or the folder can be hidden using ABE). For example, let the path to the certificate file be as follows: \\lon-fs01\GroupPolicy$\Certificates


Let’s go to creation a new policy of certificate deployment. To do it, start Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU (in our example, it is the OU containing user computers since we don’t want the certificate to be installed on servers and technological systems), and in the menu select Create a GPO in this domain and Link it here…

Specify the policy name (Install-Exchange-Certificate) and switch to edit mode.

Create a GPO in this domain and Link it here
In the GPO Editor, go to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Public Key Policies –> Trusted Root Certification Authorities

Right-click in the right part of the window and select Import.

gpo import public key

Specify the path to the imported certificate file, which we have placed in the network folder.

certificate import wizard

In the corresponding step of the wizard, do specify that it has to be placed in Trusted Root Certification Authorities.

Trusted Root Certification Authorities

The policy of certificate distribution has been created. You can target this policy on the clients using Security Filtering or WMI filtering.

Let’s test the policy by running  gpupdate /force  on the client. Make sure that the certificate has appeared in the trusted section of the certificate storage. It can be done either in the Manage Certificate snap-in (Trusted Root Certification Authorities->Certificates) or in the Internet Explorer settings (Internet Options -> Content ->Certificates-> Trusted Root Certification Authorities).

trusted root certs

Now during Outlook configuration the warning of the untrusted certificate won’t appear.

Thus, we have configured the policy of automatic certificate distribution on all domain computers (on a certain container or a domain security group). The certificate will be automatically installed on all new computers without any tech support involvement.

Related Articles