Deploy self-signed Exchange certificate to PCs and avoid Outlook security alerts!
If you are running an Exchange server using the self-signed certificate then your domain users will receive a security alert from Outlook when setting up Outlook for the first time.
Rather than manually installing the certificate on the PCs individually, the best method is to install the certificate via group policy. This way the certificate will be automatically installed on all of your current computers and new computers that are added to the domain.
First of all we need to export the self-signed certificate from your Exchange server. Open mmc.exe on the server.
Click File and select Add/Remove Snap-in. Add the Certificates snap-in and choose to manage it using the local computer account.
Expand Certificates (Local Computer) and select Trusted Root Certification Authorities from the menu on the left hand side.
Right click on your Exchange certificate and choose All Tasks followed by Export…
Go through the export wizard and select the default format DER encoded binary X.509 (.CER).
Now that you have exported the Exchange certificate we need to store it in a file share that all users have read access to. Hidden shares work fine for this too.
E.g \\SERVERNAME\Group Policy$\Certificates
We are now ready to create our Group Policy Object! Open Group Policy Management on your server.
The group policy object that we will be creating will change the computer configuration, you can either link the group policy object to the root of the domain or to just a single OU for your computers.
Enter a suitable name for the group policy object. Select it from the menu on the left hand side, right click and select Edit…
In the Group Policy editor, use the menu on the left hand side to browse to:
Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies – Trusted Root Certification Authorities.
Right click in the right pane and select Import…
Go though the import wizard and select the certificate that you exported into a share earlier.
E.g \\SERVERNAME\Group Policy$\Certificates\Exchange.cer
Make sure that the wizard states that the certificate will be stored in the Trusted Root Certification Authorities store.
All done! You can now close the Group Policy Editor and add computers to the group policy using the Security Filtering. Alternatively you can leave the Authenticated Users security group in there instead to apply the group policy to all the computers on the domain.
All you need to do now is run a gpupdate /force command on a computer to test the group policy. You should then be prompted to restart the computer and if you log in as a fresh user, you should not receive the security alerts when you setup Outlook.
Follow us
A quick overview of the topics covered in this article.
Latest articles
October 4, 2024
October 4, 2024
October 4, 2024