Configuring Root and Subordinate Certificates Deployment via Group Policy on Windows Server 2022
In the first two parts, we successfully set up our Two-Tier PKI infrastructure on Windows Server 2022. In this third part, we’ll configure the deployment of root and subordinate certificates via Group Policy.
First, ensure the root certificate from RootCA (RootCA_Pwoks-RootCA-CA.crt) is located in C:\CertData and C:\Windows\System32\certsrv\CertEnroll. Similarly, the subordinate CA certificate from SUBCA (RootCA_Pwoks-RootCA-CA.crt) should be in C:\Windows\System32\certsrv\CertEnroll.
Next, create a new folder named C:\Certs on the SubCA server. Copy RootCA_Pwoks-RootCA-CA.crt and SubCA.pwoks.local_pwoks-SUBCA-CA.crt to this folder. Rename RootCA_Pwoks-RootCA-CA.crt to RootCA.crt and SubCA.pwoks.local_pwoks-SUBCA-CA.crt to SUBCA.crt for easier understanding.
Then, copy the contents of C:\Certs from SUBCA to the domain controller DC. Create a C:\Certs folder on DC and copy the contents from SUBCA. On DC, double-click both certificates in C:\Certs to verify that RootCA is valid until 2034 (10 years) and SUBCA is valid until 2029 (5 years).
If you have multiple domain controllers, replicate the C:\Certs directory on each one and deploy the certificates accordingly.
On DC, open Active Directory Users and Computers and create two new OUs: Servers and DomainPCs.
Add the DomainPCs OU to Active Directory Users and Computers. Install a Windows 11 VM named Client, add it to the domain, and move it from the Computers OU to the DomainPCs OU for testing.
Distribute RootCA and Subordinate CA certificates to domain PCs using Group Policy
To deploy the certificates via Group Policy, open Group Policy Management on DC by typing gpmc.msc in the search bar. Find the DomainPCs OU, right-click, and select “Create a GPO in this domain, and Link it here…”.
Name the new GPO PKICerts and click OK. Expand the DomainPCs OU, right-click on PKICerts, and select Edit.
In the Group Policy Management Editor, expand Computer Configuration – Policies – Windows Settings – Security Settings, and Public Key Policies. Right-click on Trusted Root Certification Authorities and select Import.
In the Certificate Import Wizard, browse to C:\Certs and select RootCA.crt.
Ensure Trusted Root Certification Authorities is selected, then click Next and Finish. Right-click on Intermediate Certification Authorities and select Import.
Select SUBCA.crt, ensure Intermediate Certification Authorities is selected, then click Next and Finish.
To verify the certificate deployment, open CMD as an administrator on Client. And Run
gpupdate.exe /force
Open MMC, add the Local Computer Certificates snap-in, and verify that RootCA is in Trusted Root Certification Authorities.
and SUBCA is in Intermediate Certification Authorities. Duplicate certificates may appear, which is normal.
Deploy the Root Certificate to the Domain Controller
We can do this in two ways. One method is to link the PKICerts policy we created to the Domain Controllers OU. However, we will use the second method, which involves manually installing RootCA.crt and SubCA.crt.
Open C:\Certs on DC, double-click on RootCA.crt, and select Install Certificate.
Choose Local Machine, then select “Place all certificates in the following store” and choose Trusted Root Certification Authorities.
Click Next and Finish. This completes the necessary steps for this part.
Optional – Enable Access to Certs for Linux, Android, and iOS Machines
This step is optional but useful if you have Linux, Android, or iOS devices in your environment.
We will perform this part on the SubCA server, which already has everything in place and the certificates in the C:\Certs folder. We need to create a new virtual directory in IIS.
On the SubCA server, start IIS Manager, right-click on Default Web Site, and select Add Virtual Directory.
Create an alias named Certs and point it to the C:\Certs directory as the physical path.
Click on the Certs directory under Default Web Site, select Directory Browsing, and enable it. Restart IIS for good measure. Now, if you go to the Linux client you installed and added to the domain, you can access the certificates by entering http://subca.pwoks.local/certs. This is very useful.
With these steps, we have streamlined the deployment of RootCA and SubCA certificates across the domain and different platforms, making our infrastructure more resilient and our lives easier.