I have been tasked with deploying a new cert for Root CA across our entire domain.
Anyone have any advice? I am building it as a software package. Am I correct?
Thanks for any feedback.
You may need a combination of approaches to solve this depending on how homogenous your environment is.
For Windows computers, if they are domain joined, the easiest approach by far is to create/update your PKI group policy to trust that specific CA. If your CAs are Microsoft and AD integrated, this may already be trusted. Check with your AD admin.
Alternatively on Windows you can use Powershell or Certutil commands to import new trusted roots.
CERTUTIL -addstore -enterprise -f -v root “mycert.cer”
In Powershell:
Import-Certificate -FilePath “C:\CA-PublicKey.Cer” -CertStoreLocation Cert:\LocalMachine\Root
For Java truststores - regardless of OS - you’ll need to use Keytool to add the CA public key to the Java trust store.
keytool.exe -importcert -noprompt -trustcacerts -alias YOURALIAS -file PATH\FILENAME -keystore KEYSTORE_PATH\KEYSTORE_NAME -storepass PASSWORD
Some browsers like Firefox also have their own trust store. Depending on whether your organization sanctions/supports Firefox, you may need a job to update that too. See Firefox documentation.
For Macs, you’d want to update their keychain.
So it may be as simple as a single GPO update or as complex as a half dozen custom jobs to import the root CA into different types of trust stores.
2 Likes
Memo from 2022: Perfect thread that exactly answers the question I came for! Superb SEO text matching!
A+++ would forum again.
2 Likes