How to deploy Root Certificate of Web Safety using Group Policy?

Web Safety is running integrated with Microsoft Active Directory. How to we deploy Root CA certificate of Web Safety to all domain-joined computers in our network?

In order to deploy Root CA certificate for HTTPS filtering to all domain-joined computers you would need to do the following.

First, download the myca.der certificate from Web Safety UI as shown on the following screenshot.

../../_images/myca_login12.png

On your domain controller, start the Group Policy Management addin.

../../_images/group_policy_management_mmc.png

In Group Policy Management, expand Forest / Domains / Your domain / Group Policy Objects / Default Domain Policy. Right click on it and choose Edit as shown on the following screenshot.

../../_images/group_policy_edit.png

In appeared Group Policy Management editor addin, select Policies / Window Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities, right click on the right pane and select Import as shown on the following screenshot.

../../_images/trusted_root_certification_authorities.png

A certificate import wizard appears. Click it through, selecting the certificate you downloaded previously and ensuring the certificate goes to Trusted Root Certification Authorities store.

../../_images/certificate_import_wizard_step1.png

Note: the certificate downloaded from Web Safety ends with DER and not CER as usual, but that is absolutely fine and does not matter for the system, just do not forget to select Show All Files in file browsing dialog when uploading.

../../_images/certificate_import_wizard_step2.png

The certificate will be added to Trusted Root Certification Authorities store automatically.

../../_images/certificate_import_wizard_step3.png

After certificate import wizard finishes you will see your certificate in the list.

../../_images/uploaded_root_ca_certificate.png

Good now the domain policy shall be applied to your domain-joined computers after reboot (logoff/logon). To ensure it is indeed applied you might need to run gpupdate /force on every desktop.