Part 4: EJBCA Certificate Chain Deployment to Clients

The following covers how to install the Cert Chain from EJBCA onto Client Certificate Stores by downloading the CA certificates in EJBCA and then setting group policies to automatically place the CA certificates into their respective certificate stores.

Download CA Certificates

To download the CA Certificates using the EJBCA Public Web, do the following:

  1. On the AD Domain Services Server, go to the EJBCA Public Web Fetch CA Certificates page on http://<ejbcaserver.yourcompany.com>:8080/ejbca/retrieve/ca_certs.jsp.
  2. Click Download to Internet Explorer to download the Root CA certificateIntermediate CA certificate and Issuing CA certificate.

Import Certificates

Next, set the group policies to automatically place the CA certificates into their respective certificate stores. Note that a Group Policy Object (GPO) is a set of Group Policy configurations.

  1. Open the Group Policy Management (gpmc.msc) on the AD Server.
  2. Expand your domain forest, and select <yourcompany.com> from your Domains.
  3. Right-click and select Create a GPO in this domain, and Link it here.
  4. Set the GPO name to Trusted EJBCA CA certs.
  5. Right-click Trusted EJBCA CA certs GPO and click Edit.
  6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
  7. Click the Action menu or right-click and then click Import.
  8. Follow the instructions in the Certificate Import Wizard to import the Root CA certificate.
  9. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities.
  10. Click the Action menu or right-click and then click Import.
  11. Follow the instructions in the Certificate Import Wizard to import the Intermediate CA certificate.
  12. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities.
  13. Click the Action menu or right-click and then click Import.
  14. Follow the instructions in the Certificate Import Wizard to import the Issuing CA certificate.