How do I deploy an internal certificate authority?

IE7 aggressively warns about certificate failure; we have some internal sites that run over HTTPS and thus need a valid cert. We appear to have an certificate authority on the intranet that can sign SSL certs, but we have a problem: how do we mass configure desktops to trust the internal CA?

Is it possible to deploy the internal CA cert locally, via GPO?


The certificate can be distributed by group policy.

From: http://unixwiz.net/techtips/deploy-webcert-gp.html

In the Group Policy Object Editor, navigate down to: Computer Configuration

  • Windows Settings
  • Security Settings
  • Public Key Policies
  • Trusted Root Certification Authorities
  • Then right-click and select Import.

On Debian there's the pyca package for running a CA, however for all it does you basically need to know how OpenSSL's underlying CA support works.

There's always the AD CA tool, however I've found that it's only good for limited uses, perhaps have a main CA using the more capable OpenSSL based tools, then create an interim CA for the Windows stuff?