I have a website on my intranet, that due to the nature of the data, requires the data to be encrypted using SSL/HTTPS. I created a self-signed certificate on the webserver (IIS7) and can import it in my browser to eliminate the certificate error screen and all works well. What I need is to push that certificate out to clients who require that application. I also have a couple of IE settings that need to be set (ActiveX script and Trusted site). I figured out how to push the IE security settings using a GPO that is linked to the domain and applies only to a group defined in Active Directory. That part is working. I was hoping to use the same GPO to push the certificate as well. Here is what I tried, but it does not seem to work: 1. I navigated to the site to get the error 2. Select continue at the cert error screen 3. Clicked on the cert error to “view certificate: 4. Clicked the “Details” tab and then “Copy file” button 5. Followed wizard and selected DER encoded binary ( I also tried P7B as that was used in one post I saw) 6. Then saved it to location. 7. I then went into Group Policy Manager on the AD server and right mouse clicked on the GPO I used for the IE security settings. 8. Then navigated to “Computer Configuration\policies\Windows Settings\Security Settings\Public Key policies\Trusted Root Certification Authorities and right mouse button click then selected “Import” 9. I followed the import wizard and import the previously saved CER file to the “Trusted Root Certification Authorities” I figured that anyone in the application group that was getting the IE security settings, would now have the certificate automatically installed, but that does occur. I still get the cert error screen. I thought I had the steps right based on some posts in this forum, but obviously not. Can someone advise as to what I am doing wrong? Thanks.

Because the Trusted Root Certification Authority is a computer setting you need to make sure that the policy is applied to the computers used by the users accessing the web site. /Hasain

Is there not a way to tie it to a user. If I only have a subset of users that require access to the internal server, can it be done that way? that would be more ideal. If that is possible.

Because the Trusted Root Certification Authority is a computer setting you need to make sure that the policy is applied to the computers used by the users accessing the web site. /Hasain

It is not possible. Root trust is a computer setting, not a user setting. Each individual user would have to add the root certificate as a trusted root (and not be local administrators on the box, as this would establish root trust for the machine, not the user. Brian

It is not possible. Root trust is a computer setting, not a user setting. Each individual user would have to add the root certificate as a trusted root (and not be local administrators on the box, as this would establish root trust for the machine, not the user. Brian