Self Signed Certificate - Active Directory - Make it trustable to all users

I use Google Apps For Business + SingleSignOn, that means all my users login trough an internal interface instead of though gmail.com.

This SingleSignOn open source solution uses SAML protocol (i think that is correct) to make the user login on google services. It integrates with AD, so all my users use the Windows credentials to log in e-mail.

This SSO interface needs a SSL certificate to trade information with Google Platform, problem is it is Self Signed, causing "Invalid certificate" screens, which confuses my users.

Question: Is there any way to push an certificate as "Trustable" to all users using an active directory policy? I want this invalid certificate screen to go away and I don't want to buy a certificate for only a couple of users. This SSO interface runs on APACHE and is behind firewall, available only on the Office or though VPN.


Yes, it is quite possible to push out certificate trusts to users. This is done through Group Policy. You can find it under Users -> Windows Settings - > Security Settings -> Public Key Policies. From there you can manage which certificates and certificate-authorities are to be trusted. The same hive exists on the Computer side of the GPO as well.

You'll probably find your AD CA in there, if you have one. These are quite useful for enterprise certificate-authorities.