This article details how to automate certificate installation with Active Directory when using SSL login.
Automating certificate installation with Active Directory
A Smoothwall configured to act as a proxy to enable content filtering using a web based SSL login page.
Installing the certificate on the Computer
- Open Internet Explorer, and log in to the Smoothwall Secure Login page as you normally would to gain internet access
- You will be faced with a security alert dialog box. At the bottom, underneath the question Do you want to proceed? are three buttons, Yes, No, and View Certificate. Click View Certificate
- You can now see the details of the certificate. At the top are three tabs labeled Certificate (the current tab), Details, and Certification Path. At the moment, we need to install the certificate using the button at the bottom middle of the dialog box. Clicking on this button will install the certificate on to your system.
- As we want to install the certificate on the computer, click Install Certificate
- Now follows a series of dialog boxes asking for your input to install the certificate. Click Next, Next, and Finish
- You will finally see a dialog box informing you that the certificate import wizard has been successful Click the OK button, then OK on the Certificate dialog and Yes on the Security Alert dialog box
Now we need to export the certificate so we can add the file directly into a Group Policy configured on Active Directory.
Exporting the Certificate from the Certificate Store
- Inside Internet Explorer, go to Tools, then select Internet Options
- At the top of the Internet Options dialog box are several tabs. Select the Content tab
- In the middle of the dialog box is a button labeled
Certificates. Click on it
- Click on the tab labeled Trusted Root Certificates and look for the hostname of your Smoothwall in the Issued To and Issued By columns. Click on this certificate to select it
- The certificate we want may be distinguished by having no Friendly Name, instead this will be labeled with . Click the button labeled Export on the dialog
- Click Next
- At the following screen, ensure that Base-64 encoded x.509 (.CER) certificate is selected, and click Next
- In the Filename box, type in SWSSLCERT. No file extension is needed, as this is automatically added by the export wizard. Click Next
- On the dialog box labeled Completing the Certificate Export Wizard, quickly look at the File Name line to ensure you know where the certificate will be saved. Click Finish
- Click OK on each open dialog box to close all the open dialog boxes
Creating Group Policy to Automatically Install the Smoothwall Certificate
- Log in to a domain controller with a domain admin account
- Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers
- To create a domain wide policy, right click on your domain root displayed as your domain name
- Go down to Properties, and from the dialog that appears select the tab labeled Group Policy
- Click New, and name the policy Certificate Installer
- Select the new Group Policy Object, and click Edit.
- You will see the Group Policy Object Editor. From here select Computer Configuration > Windows Settings > Security Settings > Public Key Policies
- On the right hand side of the window, click once on Trusted Root Certification Authorities. Right click on this object
- Select Import from the menu that pops up. The Certificate Import Wizard dialog appears. Click Next
- On the next dialog box, click Browse
- Navigate to where you saved the certificate SWSSLCERT.cer. Click Open
- With the full path to the certificate file present, accept the default to place all certificates in the following store (Trusted Root Certification Authorities)
- Click Next, then click Finish on the last dialog
- To close the Group Policy Object dialog, simply click OK, and close Active Directory Users and Computers
You have now created the Group Policy Object to install the certificate on all the computers in your domain.
You can check the Group Policy has propagated to all the computers in the domain by (on a workstation PC) opening Internet Explorer, going to: Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities and ensuring your Smoothwall certificate is present.
30 August 2016