Purpose
This procedure shows how to deploy a certificate to multiple computers by using the Active Directory Domain Services and Group Policy Object (GPO). This procedure is useful each time a certificate needs to be pushed to clients.
For example, when you need to push a WSUS self-signed or CA-signed certificate to all of your clients before they can trust the published third party packages.
Note: As a minimum requirement, only members of the local administration group (or its equivalent) can perform this procedure.
Steps
- Open the Group Policy Management Console.
- Find an existing or create a new GPO that contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.
- Right click the GPO, and then select Edit.The Group Policy Management Editor opens, and displays the current contents of the policy object.
- In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
- Click the Action menu, and then click Import.
- Follow the instructions in the Certificate Import Wizard to find and import the certificate.
- If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.
Affected Product(s)
- All WSUS versions
- All SCCM versions