Use Policy to Distribute Certificates

Applies To: Windows Server 2008

Certificates are important credentials. Administrators may not want to let users decide which certificates to trust and which not to trust. Often the decision to trust or not trust a particular certificate should be made by an administrator or individual who is knowledgeable about the particular certificate and its trust implications for the organization.

In conjunction with other certificate-related Group Policy settings available in Windows ServerĀ 2008 domains, you can use Group Policy to distribute the following types of certificates to clients.

Type of certificate Description

Trusted Root Certification Authorities

Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your own organization and Microsoft.

Enterprise Trust

A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted.

Intermediate Certification Authorities

Certificates issued to subordinate CAs.

Trusted Publishers

Certificates from CAs that are trusted.

Untrusted Certificates

Certificates that you have explicitly decided not to trust because they are no longer valid for their intended purpose or because they are from a source that domain clients should not trust.

Trusted People

Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To add certificates to the Trusted Root Certification Authorities store for a domain

  1. Click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Right-click the Trusted Root Certification Authorities store.

  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

Additional references