Note: This works for Chrome and Internet Explorer. See below for the required steps for Firefox.
Make root CA ready to import
On your domaincontroller master execute the following command:
cp /etc/univention/ssl/ucsCA/CAcert.pem /var/lib/samba/sysvol/YOUR DOMAIN/CAcert.crt
Create a group policy
Creating Windows group policies works the same in Samba as in a Windows AD domain.
Install the Remote Server Administration Tools (RSAT) on a Windows client in the domain and run the “Microsoft Group Policy Management Tool”.
The RSAT Tools are available for Windows 10 and Windows 7.
After the RSAT tools are installed, you need to activate the Group Policy Management Tools. Click the Start button and run Turn Windows features on or off. Browse to
Remote Server Administration Tools -> Feature Administration Tools -> Group Policy Management Tools
and activate the checkbox. Click OK.
Now, you can run Group Policy Management from the Start button.
In the Group Policy Management Tool, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects.
Click Action, and then click New.
Add your root CA to trusted root CAs
Right click and choose Edit on your group policy. A hierachical structure of settings opens.
Browse to:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies
Right-click Trusted Root Certification Authorities and click Import.
Click Next in the wizard that opens.
On the File to import page, type in the path to the certificate:
\\MASTER HOSTNAME\sysvol\YOUR DOMAIN\CAcert.crt
Click Next.
On the following page, make sure that Place all certificates in the following store is selected and click Next and Finish.
Link the GPO to your domain
To make sure that the GPO is applied, you have to link it to your desired domain or OU. Right-click on the domain or OU and select Link an Existing GPO. Choose your GPO and click OK.
Remove root CA from sysvol
On your domaincontroller master execute the following command:
rm /var/lib/samba/sysvol/YOUR DOMAIN/CAcert.crt
Firefox
To make Firefox use the Windows root CA store, we need to change it’s configuration.
Open about:config in Firefox. You will be presented with a list of settings parameters and a search mask.
Search for security.enterprise_roots.enabled and double-click it to change it’s value to true.
Update: You can now also achieve this with a Group Policy via the ADMX templates for Firefox provided by Mozilla: https://github.com/mozilla/policy-templates/blob/master/README.md