How to import UCS root CA on Windows clients



Note: This works for Chrome and Internet Explorer. See below for the required steps for Firefox.

Make root CA ready to import

On your domaincontroller master execute the following command:

cp /etc/univention/ssl/ucsCA/CAcert.pem /var/lib/samba/sysvol/YOUR DOMAIN/CAcert.crt

Create a group policy

Creating Windows group policies works the same in Samba as in a Windows AD domain.

Install the Remote Server Administration Tools (RSAT) on a Windows client in the domain and run the “Microsoft Group Policy Management Tool”.

The RSAT Tools are available for Windows 10 and Windows 7.

After the RSAT tools are installed, you need to activate the Group Policy Management Tools. Click the Start button and run Turn Windows features on or off. Browse to

Remote Server Administration Tools -> Feature Administration Tools -> Group Policy Management Tools

and activate the checkbox. Click OK.

Now, you can run Group Policy Management from the Start button.
In the Group Policy Management Tool, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects.

Click Action, and then click New.

Add your root CA to trusted root CAs

Right click and choose Edit on your group policy. A hierachical structure of settings opens.
Browse to:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies

Right-click Trusted Root Certification Authorities and click Import.
Click Next in the wizard that opens.
On the File to import page, type in the path to the certificate:


Click Next.
On the following page, make sure that Place all certificates in the following store is selected and click Next and Finish.

Link the GPO to your domain

To make sure that the GPO is applied, you have to link it to your desired domain or OU. Right-click on the domain or OU and select Link an Existing GPO. Choose your GPO and click OK.

Remove root CA from sysvol

On your domaincontroller master execute the following command:

rm /var/lib/samba/sysvol/YOUR DOMAIN/CAcert.crt


To make Firefox use the Windows root CA store, we need to change it’s configuration.
Open about:config in Firefox. You will be presented with a list of settings parameters and a search mask.

Search for security.enterprise_roots.enabled and double-click it to change it’s value to true.

Configuring Windows clients for single sign-on (SSO) with Kerberos logins
Windows SSO kerberos (feedback)