How to Deploy an Internal CA Certificate via GPO for Trusted HTTPS on Enterprise Intranet


2 views

When running internal HTTPS services (like intranet portals, development APIs, or monitoring dashboards), browsers like IE7/Edge/Chrome throw aggressive security warnings if the certificate isn't signed by a publicly trusted CA. Many enterprises solve this by running their own internal Certificate Authority (CA), but getting all domain-joined machines to trust that CA requires careful deployment.

Group Policy Objects (GPO) provide the most scalable way to deploy CA certificates across Windows domains. Here's the technical implementation:


# PowerShell snippet to verify CA cert deployment
Get-ChildItem -Path Cert:\LocalMachine\Root | 
Where-Object { $_.Issuer -like "*Internal CA*" } | 
Format-List Subject, Thumbprint, NotAfter
  1. Export your CA's root certificate (DER or Base64 format)
  2. Create a new GPO in Group Policy Management Console
  3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
  4. Right-click "Trusted Root Certification Authorities" > Import

For large environments, consider these optimizations:

  • Use WMI filtering to target specific OS versions
  • Combine with certificate auto-enrollment policies
  • Deploy via SCCM/Intune if hybrid environment exists

# Check GPO application status
gpresult /h gpo_report.html

# Force immediate GPO update
gpupdate /force

# Verify cert store changes
certmgr.msc

For non-Windows or BYOD scenarios:

  • Deploy via MDM solutions (Jamf, Intune)
  • Publish certs via Configuration Management tools (Ansible, Chef)
  • Manual import via downloadable PKCS#7 bundle

When implementing HTTPS for internal web applications, organizations often face certificate trust issues with browsers like Internet Explorer. The core problem isn't generating certificates - it's establishing trust across all enterprise workstations.

For browsers to trust your internal sites, three components must work together:

1. The web server's SSL certificate (issued by your CA)

2. The intermediate CA certificate (if used)

3. The root CA certificate

Example of a typical OpenSSL command to create a CA:

openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 365 -nodes -subj "/CN=MyEnterpriseCA"

The most efficient way to deploy CA trust in a Windows domain is through Group Policy Objects (GPO). Here's how:

1. Prepare the CA Certificate

Export your root CA certificate in DER or Base64 format. For Windows systems, .cer format works best.

2. Create a GPO

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

Right-click and select "Import" to add your CA certificate.

3. Alternative PowerShell Deployment

For environments where GPO isn't available, use this PowerShell script:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import("C:\path\to\ca.crt")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
    "Root","LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()

For legacy systems like IE7 that use the older certificate store:

certutil -addstore -f "Root" ca.crt

After deployment, verify with:

certmgr.msc

Check that your CA appears under "Trusted Root Certification Authorities". Common issues include:

  • Incorrect certificate format (use DER for maximum compatibility)
  • Missing intermediate certificates
  • GPO not applying due to permissions

For large-scale deployments, consider using Configuration Manager (SCCM) with a package containing this batch script:

@echo off
certutil -f -addstore Root "%~dp0EnterpriseCA.crt"
exit /b %ERRORLEVEL%