daknetworks.com

You are here: Blog Trust Custom Root Certificate Authority | Trust Custom Root CA

Trust Custom Root Certificate Authority | Trust Custom Root CA

Internal web site with domain.corp name.
Site has certificate from custom root-CA and custom intermediate-CA.

How to trust for entire internal domain.

Get the Certificates

-open INTERNET-EXPLORER (as-admin).
-go to site with custom security.
-view certificate.
-click DETAILS
-click COPY-TO-FILE.
-save type as BASE-64-ENCODED (not DER).
-save as: sub.domain.tld.cer

-click CERTIFICATION-PATH
-click the INTERMEDIATE certificate (the one in the middle).
-click VIEW-CERTIFICATE.
-click DETAILS.
-click COPY-TO-FILE.
-save type as BASE-64-ENCODED (not DER).
-save as: intermediate-hostname-as-in-certificate.cer

-click CERTIFICATION-PATH
-click the ROOT certificate (the one at the top).
-click VIEW-CERTIFICATE.
-click DETAILS.
-click COPY-TO-FILE.
-save type as BASE-64-ENCODED (not DER).
-save as: root-hostname-as-in-certificate.cer

FOR SINGLE PC CLIENT

-open cmd.
-type: mmc
-add/remove snap-ins
-open CERTIFICATES
-select COMPUTER-ACCOUNT

-expand to TRUSTED-ROOT-CERTIFICATION-AUTHORITIES > CERTIFICATES
-right-click CERTIFICATES
-click IMPORT
-select root-hostname-as-in-certificate.cer

-expand to INTERMEDIATE-RTIFICATION-AUTHORITIES > CERTIFICATES
-right-click CERTIFICATES
-click IMPORT
-select intermediate-hostname-as-in-certificate.cer

Reboot system.

FOR GROUP POLICY DOMAIN

-start new GP
-click COMPUTER > POLICIES > WINDOWS-SETTINGS > SECURITY-SETTINGS > PUBLIC-KEY-POLICIES
-click TRUSTED-ROOT-CERTIFICATION-AUTHORITIES
-click IMPORT
-select root-hostname-as-in-certificate.cer

-expand to INTERMEDIATE-RTIFICATION-AUTHORITIES
-click IMPORT
-select intermediate-hostname-as-in-certificate.cer

Firefox to Trust

-open FIREFOX
-in address bar, type: about:config
-accept the warning message that appears.
-type: security.enterprise_roots.enabled
-toggle to TRUE (default is FALSE).

Test

To test, either visit the site or get OPENSSL for system and check manually:
echo GET | openssl s_client -connect processes.domain.corp:443

Contact Dak Networks

Please contact us at the following.