Adding Self-Signed PKI to Windows Trusted Certificate Store via Group Policy

Exporting Certificates from XCA

1. Launch XCA
2. Open the PKI database if it is not already (File > Open DataBase), enter password
3. Click on the Certificates tab
4. Right click the Intermediate CA certificate > Export > File
5. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
6. Click OK
7. Right click the Root CA certificate > Export > File
8. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
9. Click OK

Push Certificates Into Windows Certificate Store Via GPO

1. Launch Group Policy Management (Control Panel > Administrative Tools > Group Policy Management)
2. Right click Default Domain Policy > Edit...
3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
4. Right click Trusted Root Certification Authorities > Import..
5. Click Next
6. Click Browse > Select the exported Root CA .crt file > Click Next
7. Verify Include all extended properties is checked
8. Click Next
9. Click Next
10. Click Finish
11. Right click Intermediate Certification Authorities > Import..
12. Click Next
13. Click Browse > Select the exported Intermediate CA .crt file > Click Next
14. Verify Include all extended properties is checked
15. Click Next
16. Click Next
17. Click Finish
18. Close the Group Policy Management Editor window
19. Force Group Policy update by Right clicking the start button > Run > cmd
20. Type gpupdate /force