This is part three of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.
Disclaimer: I am not a security expert. This is just the easiest way I have found to create and utilize SSL for my homelab services.
Prerequisites
- A XCA PKI database https://youtu.be/ezzj3x207lQ
Exporting Certificates from XCA
- Launch XCA
- Open the PKI database if it is not already (File > Open DataBase), enter password
- Click on the Certificates tab
- Right click the Intermediate CA certificate > Export > File
- Set the file name with a .crt extension and verify the export format is PEM (*.crt)
- Click OK
- Right click the Root CA certificate > Export > File
- Set the file name with a .crt extension and verify the export format is PEM (*.crt)
- Click OK
Push Certificates Into Windows Certificate Store Via GPO
- Launch Group Policy Management (Control Panel > Administrative Tools > Group Policy Management)
- Right click Default Domain Policy > Edit...
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
- Right click Trusted Root Certification Authorities > Import..
- Click Next
- Click Browse > Select the exported Root CA .crt file > Click Next
- Verify Include all extended properties is checked
- Click Next
- Click Next
- Click Finish
- Right click Intermediate Certification Authorities > Import..
- Click Next
- Click Browse > Select the exported Intermediate CA .crt file > Click Next
- Verify Include all extended properties is checked
- Click Next
- Click Next
- Click Finish
- Close the Group Policy Management Editor window
- Force Group Policy update by Right clicking the start button > Run > cmd
- Type gpupdate /force