Adding a Trusted Root Certificate to the Group Policy

You can use the certificate snap-in to make a copy of a certificate to use on another computer, or to create a backup copy.

In order to establish a chain of trust for your PKI environment, you identify the copy of the CA you just created as a trust anchor.

To establish the CA as a trust anchor, add the root certificate for the CA to the Trusted Root Certification Authorities container in the group policy object that defines the IP Security policies.

To Add a Trusted Root Certificate to the Group Policy Object

  1. Open the Certificates (MMC) snap-in.

    If the Certificates snap-in is not available, you can run MMC and click File > Add/Remove Snap-in to add it.

  2. Select Computer account, and click Next.

  3. Select Local computer, then click Next.

  4. Click Certificates > Trusted Root Certification Authorities > Certificates.

  5. Select the root certificate generated by the CA you created in the previous procedure, then double-click it to see its Properties page.

  6. Click the Details tab; then click Copy to file to start the Certificate Export Wizard. In the wizard, make the following selections:

    • File format: DER encoded binary X.509 (.CER)
    • File Name: Anywhere on the local server
    • Include all certificates in the certification path: No
  7. Open the Group Policy Object Editor and select the group policy object that defines the IP Security policies.

    Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.

  8. Select Trusted Root Certification Authorities, right click, and select Import to open the Certificate Import Wizard.

  9. Click Next on the Welcome screen.

  10. Browse to find the root certificate you copied in Step 6, then click to accept the default values on each screen.

  11. Click Finish to complete the wizard.

The root certificate is now in the Active Directory Trusted Root Certification Authorities container. Certificates in this container are downloaded to any computer that joins the domain to establish trust for the root CA.