Manage Trusted Root Certificates

Applies To: Windows 7, Windows Server 2008 R2

Because of the growing variety of certificates in use today and the growing number of certificate issues, some organizations may want to manage certificate trust and prevent users in the domain from configuring their own set of trusted root certificates. In addition, some organizations may want to identify and distribute specific trusted root certificates to enable business scenarios where additional trust relationships are needed.

This topic includes procedures for the following tasks:

  • Managing trusted root certificates for a local computer
  • Managing trusted root certificates for a domain
  • Adding certificates to the Trusted Root Certification Authorities store for a local computer
  • Adding certificates to the Trusted Root Certification Authorities store for a domain

Managing trusted root certificates for a local computer

Administrators is the minimum group membership required to complete this procedure.

To manage trusted root certificates for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Local Group Policy Object Editor,click Add, select the computer whose local Group Policy object (GPO) you want to edit, and then click Finish.

  4. If you have no more snap-ins to add to the console, click OK.

  5. In the console tree, go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  6. Double-click Certificate Path Validation Settings,and thenclick the Stores tab.

  7. Select the Define these policy settings check box.

  8. Under Per user certificate stores, clear the Allow user trusted root CAs to be used to validate certificates and Allow users to trust peer trust certificates check boxes.

  9. Under Root certificate stores, select the root CAs that the client computers can trust, and then click OK to apply the new settings.

Managing trusted root certificates for a domain

Domain Admins is the minimum group membership required to complete this procedure.

To manage trusted root certificates for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the Group Policy Management Console (GPMC) was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Double-click Certificate Path Validation Settings, and then click the Stores tab.

  8. Select the Define these policy settings check box.

  9. Under Per user certificate stores, clear the Allow user trusted root CAs to be used to validate certificates and Allow users to trust peer trust certificates option in the Per User Certificate Stores check boxes.

  10. Under Root certificate stores, select the root CAs that the client computers can trust, and then click OK to apply the new settings.

Adding certificates to the Trusted Root Certification Authorities store for a local computer

Administrators is the minimum group membership required to complete this procedure.

To add certificates to the Trusted Root Certification Authorities store for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Certificates,and then click Add.

  4. Under This snap-in will always manage certificates for, click Computer account, and then click Next.

  5. Click Local computer, and click Finish.

  6. If you have no more snap-ins to add to the console, click OK.

  7. In the console tree, double-click Certificates.

  8. Right-click the Trusted Root Certification Authorities store.

  9. Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Adding certificates to the Trusted Root Certification Authorities store for a domain

Domain Admins is the minimum group membership required to complete this procedure.

To add certificates to the Trusted Root Certification Authorities store for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the GPMC was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Right-click the Trusted Root Certification Authorities store.

  8. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

Additional references