How to import UCS Root CA into Windows 10 (GPO)

How to import UCS root CA on Windows clients (UCS 5)

Original article here: https://help.univention.com/t/how-to-import-ucs-root-ca-on-windows-clients/8847

Creating a group policy on Windows 10 Client (Language: German)

1.

Open “Gruppenrichtlinienverwaltung”

  1. Win + R (or press the windows key and type run)
  2. Type gpmc.msc and hit Enter
    1. Alternatively go to “Windows-Verwaltungsprogramme” —> “Gruppenrichtlinienverwaltung”
  3. Browse to:
    - Gesamtstruktur: [Domain]
    - Domänen
    - [Domain]
    - Click on Gruppenrichtlinienobjekte
    gpo-1
  4. Then click “Aktion” —> “Neu” and give the new GPO a name of your liking (i.e. “TestGPO”)
    gpo-2

2.

Open a Browser window and browse to the address of your Domain Controller (i.e. https://ucs5-primary.schule.de)

  1. Click on the burger menu (1), on “Zertifikate” (2) and then on “Wurzelzertifikate” (3) and download it to your computer
    gpo-3
    gpo-4

3.

Go back to the Gruppenrichtlinienverwaltung, right-click on your newly created GPO (1) from step 1.4 and click “Bearbeiten” (2) (this opens the Gruppenrichtlinienverwaltungs-Editor)
gpo-5

In the Gruppenrichtlinienverwaltungs-Editor:

  1. Browse to:
    • Computerkonfiguration
      • Richtlinien
        • Windows-Einstellungen
          • Sicherheitseinstellungen
            • Richtlinien für öffentliche Schlüssel
              • Vertrauenswürdige Stammzertifizierungsstellen —> Right-click “Importieren…”
                gpo-6

4.

Click through the wizard that opens (for importing the certificate you downloaded in Step 5) and when asked choose “Alle Zertifikate in folgendem Speicher speichern”:

  1. “Zertifikatspeicher: Vertrauenswürdige Stammzertifizierungsstellen”
    gpo-8

5. Back in Gruppenrichtlinienverwaltung

  1. Browse to:
    • Gesamtstruktur: [Domain]
      • Domänen
        • [Domain] —> Right-click “Vorhandenes Gruppenrichtlinienobjekt verknüpfen…”
          gpo-9

6. Apply the changed GPO

You can apply the GPO immediately on the Windows client by running gpupdate /force


Firefox, Google Chrome, IE

To make Firefox use the Windows root CA store, we need to change it’s configuration.
Open about:config in Firefox. You will be presented with a list of settings parameters and a search mask.

Search for security.enterprise_roots.enabled and double-click it to change it’s value to true.

Update: You can now also achieve this with a Group Policy via the ADMX templates for Firefox provided by Mozilla: https://github.com/mozilla/policy-templates/blob/master/README.md

1 Like

This topic was automatically closed after 60 minutes. New replies are no longer allowed.

Mastodon