70 lines
No EOL
3.4 KiB
HTML
70 lines
No EOL
3.4 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>Adding Self-Signed PKI to Windows Trusted Certificate Store via Group Policy</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<meta charset="UTF-8">
|
|
<meta name="keywords" content="PKI,Public Key Infrastructure,XCA,SSL,Web Server,OpenVPN,Certificates,Certificate Authority,Self-Signed,Tutorial">
|
|
<meta name="author" content="i12bretro">
|
|
<meta name="description" content="Adding Self-Signed PKI to Windows Trusted Certificate Store via Group Policy">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<link rel="icon" type="image/x-icon" href="includes/favicon.ico">
|
|
<script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
|
|
<script type="text/javascript" src="includes/js/steps.js"></script>
|
|
<link href="css/steps.css" rel="stylesheet" type="text/css" />
|
|
</head>
|
|
<body>
|
|
<div id="gridContainer">
|
|
<div class="topMargin"></div>
|
|
<div id="listName" class="topMargin">
|
|
<h1>Adding Self-Signed PKI to Windows Trusted Certificate Store via Group Policy</h1>
|
|
</div>
|
|
<div></div>
|
|
<div id="content">
|
|
<p>This is part three of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.</p>
|
|
|
|
<p>Disclaimer: I am not a security expert. This is just the easiest way I have found to create and utilize SSL for my homelab services.</p>
|
|
|
|
<h2>Exporting Certificates from XCA</h2>
|
|
|
|
<ol>
|
|
<li>Launch XCA</li>
|
|
<li>Open the PKI database if it is not already (File > Open DataBase), enter password</li>
|
|
<li>Click on the Certificates tab</li>
|
|
<li>Right click the Intermediate CA certificate > Export > File</li>
|
|
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
|
|
<li>Click OK</li>
|
|
<li>Right click the Root CA certificate > Export > File</li>
|
|
<li>Set the file name with a .crt extension and verify the export format is PEM (*.crt)</li>
|
|
<li>Click OK</li>
|
|
</ol>
|
|
|
|
<h2>Push Certificates Into Windows Certificate Store Via GPO</h2>
|
|
|
|
<ol>
|
|
<li>Launch Group Policy Management (Control Panel > Administrative Tools > Group Policy Management)</li>
|
|
<li>Right click Default Domain Policy > Edit...</li>
|
|
<li>Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies</li>
|
|
<li>Right click Trusted Root Certification Authorities > Import..</li>
|
|
<li>Click Next</li>
|
|
<li>Click Browse > Select the exported Root CA .crt file > Click Next</li>
|
|
<li>Verify Include all extended properties is checked</li>
|
|
<li>Click Next</li>
|
|
<li>Click Next</li>
|
|
<li>Click Finish</li>
|
|
<li>Right click Intermediate Certification Authorities > Import..</li>
|
|
<li>Click Next</li>
|
|
<li>Click Browse > Select the exported Intermediate CA .crt file > Click Next</li>
|
|
<li>Verify Include all extended properties is checked</li>
|
|
<li>Click Next</li>
|
|
<li>Click Next</li>
|
|
<li>Click Finish</li>
|
|
<li>Close the Group Policy Management Editor window</li>
|
|
<li>Force Group Policy update by Right clicking the start button > Run > cmd</li>
|
|
<li>Type gpupdate /force</li>
|
|
</ol>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
|