Adding Self-Signed PKI to Windows Trusted Certificate Store via Group Policy

This is part three of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.

Disclaimer: I am not a security expert. This is just the easiest way I have found to create and utilize SSL for my homelab services.

Prerequisites

Exporting Certificates from XCA

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab
  4. Right click the Intermediate CA certificate > Export > File
  5. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  6. Click OK
  7. Right click the Root CA certificate > Export > File
  8. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  9. Click OK

Push Certificates Into Windows Certificate Store Via GPO

  1. Launch Group Policy Management (Control Panel > Administrative Tools > Group Policy Management)
  2. Right click Default Domain Policy > Edit...
  3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
  4. Right click Trusted Root Certification Authorities > Import..
  5. Click Next
  6. Click Browse > Select the exported Root CA .crt file > Click Next
  7. Verify Include all extended properties is checked
  8. Click Next
  9. Click Next
  10. Click Finish
  11. Right click Intermediate Certification Authorities > Import..
  12. Click Next
  13. Click Browse > Select the exported Intermediate CA .crt file > Click Next
  14. Verify Include all extended properties is checked
  15. Click Next
  16. Click Next
  17. Click Finish
  18. Close the Group Policy Management Editor window
  19. Force Group Policy update by Right clicking the start button > Run > cmd
  20. Type gpupdate /force