Install a Self-signed certificate by using Group Policy

Let’s review the details on how to install a certificate to your PC for domain users and how to add them to the trusted list with Group Policy. In this case, we will install a self-signed certificate for Exchange on client computers.

In the case, if your Exchange server is using the self-signed certificate, users will receive a security alert upon from Outlook. This will happen when users are setting up Outlook for the first time.

group policy alert

To remove this warning, the user needs to add the Exchange certificate to the list of trusted certificates. This can be done manually (or by integrating the certificate into the corporate OS build), but it’s much easier and more efficient to automatically install the certificate using Group Policy (GPO). With this procedure the certificate will be automatically installed on all the existing and new PC users in the domain.


First of all, we need to export the self signed certificate from your Exchange server. In order to do that, open mmc.exe console on the server. After this, add the Certificates snap-in (for your local computer account).


Go to Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates

Find your Exchange certificate in the middle section, right click on it and then choose All Tasks -> Export.

console root

In the Certificate Export Wizard select the DER encoded binary X.509 (. CER) format and choose the destination folder.

certificate export wizard

After we have exported the Exchange certificate, we need to store it in the network folder, that all users have read access to (the access can be restricted via NFTS Permissions, if needed; i.e. the folder can be hidden with ABE). For example, let’s say that the path to the certificate file will be: \\msk-fs01\GroupPolicy$\Certificates

certificates group policy

Now we are ready to create the certificate deployment policy. We should open the Group Policy Management console (gpmc.msc). Create a new policy by selecting the OU it should apply to (in this example this OU includes computers of regular users, because we do not want to install the certificate on servers and technological systems), and then click Create a GPI in this domain and Link it here

Enter a suitable name for the policy (Install-Exchange-Cert) and switch to its edit mode.


group policy edit mode

In the Group Policy editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities (Computer Configuration -> Configure Windows -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities)

Right click in the right pane and select Import.

group policy editor

Choose the path to the imported file that we stored in the network folder.

group policy name

Make sure to specify that the certificate has to be stored in Trusted Root Certification Authorities.


certificate import wizard

We did it! Certificate deployment policy has been created. It is also possible to set up a more strict user policy using Security Filtering or WMI filters.

Let’s test the policy by running policy update command (gpudpate/force) on the user PC. You need to make sure that certificate had appeared in the trusted certification store. This can be done in certificate management (Trusted Root Certification Authorities-> Certificates), or in the Internet Explorer settings (Internet Options -> Content -> Certificates-> Trusted Root Certification Authorities and Internet Options -> Content -> Certificates -> Trusted Root CAs).

sertificates group policy

You need to restart your computer and after this you should not receive the warning about untrusted certificate.

And thus we set up the certificate deployment group policy on the domain computers. The certificate will be automatically installed on all new computers without requiring any tech support involvement.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.