When working in a Windows domain you will eventually face a situation where all machines need to trust a specific certificate. This can be an internal PKI a proxy with SSL inspection or internal services using custom TLS certificates.
Installing certificates manually on each machine does not scale. It takes time it is easy to make mistakes and it becomes hard to maintain.
The correct way to handle this in an Active Directory environment is by using Group Policy.
In this guide I will show you how to deploy a trusted root certificate to domain computers using GPO step by step and how to verify that everything works as expected.
When you might need this
You will usually need this in scenarios like:
- Deploying an internal Certification Authority AD CS
- Trusting a corporate proxy with SSL inspection
- Using internal services with self signed or private CA certificates
- Building trust between internal systems
Step 1 Open Group Policy Management and create a new GPO
Start by opening Group Policy Management. You can do this by running:
gpmc.msc
Once opened navigate to your domain and locate the Organizational Unit that contains your computer accounts.
The policy must be linked to a container where computer objects are located. This is important because we are deploying the certificate to computers not users.
If you link the GPO to a user OU or the wrong container the certificate will not be applied.
Right click the target OU that contains computers and select:
Create a GPO in this domain and Link it here
Give your policy a clear name for example:
Deploy Trusted Root Certificate
Step 2 Edit the GPO
After creating the policy you need to edit it.
In Group Policy Management right click your newly created GPO and select Edit
This will open the Group Policy Management Editor.
Since we are deploying the certificate to computers make sure you are working under Computer Configuration.
Step 3 Navigate to Trusted Root Certification Authorities
In the Group Policy Management Editor go to:
- Computer Configuration
- Windows Settings
- Security Settings
- Public Key Policies
- Trusted Root Certification Authorities
This is the location where trusted root certificates are stored for computers.
Make sure you are selecting Trusted Root Certification Authorities and not Intermediate Certification Authorities.
Step 4 Import the certificate
Right click Trusted Root Certification Authorities and select Import
This will launch the Certificate Import Wizard.
Select Local Machine when prompted and continue.
Click Browse and select your certificate file.
Confirm the selected certificate and click Next.
Make sure the option Place all certificates in the following store is selected and that the store is set to Trusted Root Certification Authorities.
Complete the wizard by clicking Finish.
You should see a message confirming that the import was successful.
After that the certificate should appear in the list.
Step 5 Apply the policy and verify
After configuring the GPO you need to make sure it is applied on client machines.
You can either wait for the automatic Group Policy refresh or force it manually by running:
gpupdate /force
PowerShell 7.6.0 PS C:\Users\user1> gpupdate /force Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully.
Once the policy is applied you should verify that the certificate is present on the machine.
Open the local machine certificate store by running:
certlm.msc
Navigate to:
- Trusted Root Certification Authorities
- Certificates
Check that your certificate appears in the list.
You can also verify it using PowerShell:
Get-ChildItem Cert:\LocalMachine\Root
If the certificate is not present check the following:
- The GPO is linked to the correct OU with computer accounts
- The client machine is in that OU
- Group Policy has been updated successfully
- No errors in gpresult or Event Viewer
Infrastructure Engineer with hands-on experience in Windows Server, Active Directory, SCCM, Exchange, and Linux environments. Concentrated on resolving production issues and keeping systems stable and reliable.