Certificate Not Showing in Group Policy
Hi All,
I have imported a third party certificate into the trusted root certificate authority store on both of my domain controllers. It imported without error and shows up on both properly. I am trying to configure Wired Network Policy within group policy to
automatically assign a client a certificate for use with PEAP. However, this cert I have imported to the domain controllers hours ago is still not showing up in the list of available cert's to choose under the PEAP Trusted Root Certification Authorities
list. How do I get the cert to show up?
Thanks
September 14th, 2011 2:30pm
Hello,
I think it will be better to ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 4:18pm
You need to import the Root CA certificate intoActive Directory to distribute the trust to all members of AD not just the DCs.
You can either use the certutil command to import it to the enterprise store to distribute the trust to all domains in the forest
certutil -dspublish -f rootca_<var>filename.cer</var> RootCA
or use group policy to add the Root CA certificate to the trusted root store for a specific domain http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx
/Hasain
September 15th, 2011 1:00am
Hi Hasain,
Thanks. I ended up importing it using GPO last night. I imported it into the default domain policy. However this morning, it still not showing up for the policy mentioned above. So I have just imported it into the Trusted Root Authortity Store for that policy
as well. However I noticed when viewing the imported cert into the default domain policy last night that it shows as not trusted and says to trust it, import it into the same store it was already imported into. Is it possible that the cert is invalid even
though it successfully imports? Or am I missing something?
Thanks
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2011 11:27am
Please check the following:
The Root CA certificate is time valid, if possible provide the output of the command:
certutil -dump rootca.crt
The GPO has replicated and applied to the computer used to configure the PEAP Policy:
certutil -viewstore -GroupPolicy Root
/Hasain
September 15th, 2011 1:50pm
Hi All,
Still have not resolved this problem and hoping I can get some next steps. I have applied the certificate in question in to the default domain policy under Public Key Policies\Trusted Root Certification Authorities. This certificate then replicates to all clients
and shows up under User and Computer Trusted Root Certification Authorities. However the domain controllers never appear to receive this cert when I open and view via the Certificates MMC. Even if I manually import this certificate into the Trusted Root on
the DC's, the cert will never show up in the list of available certificates to choose in the screen shot above.
I am not sure what I am missing here but its driving me nuts.
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2011 12:55pm
Try with either adding the Root CA as a trusted Root in the forest using the command
certutil -dspublish -f rootca_<var>filename.cer</var> RootCA
or adding the Root CA using the "Default Domain Controller" policy
If you run the group policy editor on another machine than your DC, can you see the desired Root CA in the list?
/Hasain
September 22nd, 2011 1:21pm
Manually importing the cert to the domain controller using certutil forced the cert to show up in the list under the policies. What is the difference between using certutil and importing through the GUI?
Thank you for your help!
Free Windows Admin Tool Kit Click here and download it now
September 26th, 2011 11:09am