Virtual Geek

Tales from real IT system administrators world and non-production environment

Push SSL certificates to client computers using Group Policy

In my earlier article I shown how to Generate new self-signed certificates for ESXi using OpenSSL. Importing this certificate in local certificates store is good for single computer or 2-3 systems, but may be tedious task if you want to maintain it on more than 10 systems, think what happens if they are 50 systems, you want to add/remove/edit them later, using scripts is easier but instead there should be proper automated way. for this purpose I am using group policy which is available to me, configure once and forget, Easier for edit or remove later. I have my CRT file ready from earlier article and using same to upload. Go to cortana search and type Group Policy Management to lunch it. On this mmc snap in expand and follow the path Forest: >> Domains >> Left click on Group Policy Objects. Click New from context menu, in the New GPO give it some new meaningful name and click OK
cortana group policy management esxi self signed certificate new gpo group policy objects, openssl crt key rui source starter gpo domains forest AD.png

Once new GPO is listed, right click it and click Edit. This opens Group Policy Management Editor.

vmware vsphere esxi group policy management, gpedit, group policy edit, ssl certificate self signed, gpo group policy objects edit, openssl crt key rui files.png

Expand and select Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Public Key Policies >> Right click Trusted Root Certification Authorities and click Import, On the Welcome to the Certificate Import Wizard click next to proceed.

powershell group policy management editor, gpo, group policy objects, public key policies trusted root certification authorities import crt file esxi vmware openssl.png

Next select the earlier created rui.crt file from previous article, click next, Certificate store is by default selected to Trusted Root Certificate Authorities, click next and in the last complete wizard by pressing finish.

Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
Managing ESXi SSL certificate properties from vCenter server

Certificate import wizard, powershell powercli openssl esxi vmware vsphere, generate new self signed certificate key rui crt trusted root certification authorities store placign gpo group policy.png

If all is good, It shows friendly message The import was successful and new certificate will be visible for deployment. Close Group Policy Management Editor.

gpo group policy objects public key policies trusted root certification authorities the import was successful esxi vmware vsphere gpo management editor ad active directory dc domain controller.png

On the newly created GPO (group policy objects), go to settings tab, certificate info should be visible after refreshing page.

group policy management object gpo esxi vmware openssl self signed ssl ceritificate security, public key policies security settings, root ca ceritificate issued to vsphere.png

New GPO is created, Next step is to link gpo either domain, OU (organization unit) or site. I want to apply it to entire domain here, select domain name and right click to Link an Existing GPO. Select the earlier created policy from list and click ok.

group policy management select gpo, link an existing gpo, vmware vsphere esxi self signed rui.crt certificate using openssl x509 generate.png

Policy is linked, review the both policies, On the linked one policy on domain there will be a shortcut icon. It will take around 90 minutes to pull settings by client computer  and reflect the change.

Powershell openssl group policy management self signed ssl certificate vmware vsphere esxi default domain policy forest domain controller sites openssl.png

To expedite and test setting immediately, pickup member computer which is domain joined and execute command gpupdate /force, before updating settings open certificate MMC, certificate will not be visible under Trusted Root Certification Authorities >> certificates. once you execute the gpupdate /force settings refreshes, review that cert should be visible.

vmware vsphere esxi console mmc.exe certificates local computer trusted root certification authorities gpupdate force powershell openssl self signed x509 certificate.png

Useful Articles
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices
Configure SNMP on ESXi Server GUI :Vmware Best Practices

Go Back


Blog Search

Page Views


Follow me on Blogarama