Ultimate wireless security guide: Automatic Root Certificate deployment

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, describes how to use Windows Active Directory to globally insert a Root Certificate in to the Certificate Trust List of all users.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

Before any Digital Certificate can be used, the signing authority (self-signed in this case) of that certificate must be in the Certificate Trust List (CTL) of the client computer. The technique described in this section works for both Cisco based clients and the native Windows Wireless Zero Configuration (WZC) clients that's built in to Windows XP SP1. If your organization is running Windows AD (Active Directory), there is an extremely simple way of globally inserting a Root Certificate in to the CTL of all users within the AD. If your organization doesn't run Active Directory, skip straight to the Manual Root Certificate deployment.

To get started, you need to fire up your group policy editor by opening up "Active Directory Users and Groups" as a Domain Administrator. You would normally want the Root Certificate to be deployed to the entire domain, but you can also limit the deployment to a certain Organizational Unit that contained a certain class of users. In the rest of my examples in this document, we'll assume that you are deploying the Root Certificate and Wireless PEAP Configuration to your entire Active Directory.

Right click on your domain and click "Properties" as shown in Figure R.

Figure R


Click on the "Group Policy" Tab. Click "New" and make a new policy called "PKI Policy", then click "Edit". (Figure S)

Figure S

PKI Policy

Expand "Computer Configuration" as shown in Figure T. Then right click on "Trusted Root ..." and click "Import".

Figure T

Group Policy Objective Editor

Import the Self Signed Root Certificate (Figure U)and continue with "Next".

Figure U

Certificate Import Wizard

Assuming you've copied your "Root Certificate" to the C:\ directory of the machine you're editing the group policy on, type in the path and name and click "Next". (Figure V)

Figure V

File to import

Click "Finish" on the next screen and close out all of the remaining windows. Once this is complete, your entire Active Directory will "trust" your new "Self Signed" certificate that you self-signed with the "SelfSSL" tool. This exact same technique also works for deploying the root certificate of any PKI Certificate Authority server you build.