Provision an intermediate certificate through Group Policy

Deploying a certificate to a number of systems can be a daunting task. IT pro Rick Vanover thinks there's only one real way to go about it in Windows Server 2008.

A few weeks ago on Twitter, I was tweeting on a whim and said that Active Directory is the greatest product that Microsoft ever made. I partly was saying that to pick a fight and, of course, someone responded by saying that Active Directory is "just LDAP." I'll forgive the fellow Twitter member, as he is a Linux guy. The part of Active Directory that I was specifically happy with was Group Policy, as it can save hundreds of visits to servers and desktops to deploy a certificate.

Why deploy a certificate?

There are a number of use cases to deploy a certificate, but the primary situation is to establish some form of encryption via SSL for an internal web service or application. This certificate can be self-signed (which is not encouraged) or issued by a trusted root certificate authority. The trusted root certificate authority includes VeriSign, Thawte, Entrust, and other agencies.

Aside from individual certificates (that is, the ones you pay for) that may be installed on a web service, there may be a required intermediary certificate or a cross-chain certificate used to access the underlying certificate. VeriSign defines an intermediary certificate as:

The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as a Trust Chain) which enhances the security of your SSL Certificate. If the proper Intermediate CA is not installed on the server, your customers will see browser errors and may choose not to proceed further and close their browser.

Simply put, this certificate is used to make sense of your SSL certificate in use on your web service. The issue is to deploy the intermediate certificate to a number of systems, and I feel the best way to do that is via Group Policy. Making a Group Policy Object (GPO) to deploy this intermediate certificate to the computer account will automatically make the certificate register on the local system. To deploy an intermediate certificate via a GPO in Windows Server 2008, it is imported in the Public Key Policies section of Security Settings (Figure A). Figure A

Click the image to enlarge.
The import wizard will walk you through the import of the intermediate certificate; then, the GPO can be saved and applied to an Organizational Unit for a number of computers. The computer accounts will then receive the intermediate certificate with no user intervention either the next time the system reboots or the Group Policy is refreshed. Figure B shows the area where an intermediate certificate would be installed after this occurs. Figure B

Click the image to enlarge.

When it comes to pushing an intermediate certificate to the masses for servers and workstations, I can't think of a better way than Group Policy. If you've deployed intermediate certificates using a different approach, share your experiences in the discussion.

TechRepublic's Servers and Storage newsletter, delivered on Monday and Wednesday, offers tips that will help you manage and optimize your data center. Automatically sign up today!

About Rick Vanover

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks

Free Newsletters, In your Inbox