group policy help

Question

I have two certificates that are set to expire in a month. One certificate is placed in the Trusted Root Certification Authority and the other in the Intermediate Certification Authority.

I have renewed these certificates and now have the new ones in .cer format. I want to deploy them to the Trusted Root Certification Authority and the Intermediate Certification Authority without disturbing the old certificates (i.e., without overwriting them). However, I am unsure how the previous certificates were deployed.

Please guide me on how to deploy these certificates using Group Policy. Additionally, could anyone confirm which folder I should use to place the script? Is C:\Windows\SYSVOL\domain on the domain controller the correct location to copy the .cer files?

Answer 1

Hi Rising Flight,

I understand you want to publish 2 new certifictes, 1x root and 1x issuing CA to your domain. I assume these are not Windows CAs (or at least not windows enterprise CAs).

There are two ways I can think of 'off the top of my head'

Certutil.exe -dspublish
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
"-dsPublish
Publishes a certificate or certificate revocation list (CRL) to Active Directory.
Windows Command Prompt
certutil [options] -dspublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]

And GPO
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

Regsards,

Geoff