When using self-signed certificates or certificates from a non-public Certificate Authority (CA), client computers will display trust warnings because they do not recognize the issuing CA. Rather than manually installing the certificate on every machine, you can distribute trusted root certificates automatically to all domain-joined computers using Group Policy. This guide covers the Group Policy method, the certutil command-line approach, Active Directory Certificate Services, and the fundamentals of certificate stores.

Understanding Certificate Stores

Windows organizes certificates into stores based on their purpose:

Machine Certificate Stores

StorePurpose
Trusted Root Certification AuthoritiesRoot CA certificates that the computer inherently trusts. All certificate chains must terminate at a certificate in this store.
Intermediate Certification AuthoritiesCertificates from CAs that are subordinate to a trusted root. Used to complete certificate chains.
PersonalCertificates issued to the computer (like SSL certificates for IIS).
Trusted PublishersCode-signing certificates from trusted software publishers.

User Certificate Stores

User certificate stores have the same structure but apply to the current user rather than the machine. Certificates in the machine store apply to all users on that computer.

Viewing Certificate Stores

Open the certificate manager:

# Machine certificates (requires admin)
certlm.msc

# Current user certificates
certmgr.msc

Or from the command line:

# List certificates in the Trusted Root store
certutil -store Root

# List certificates in the machine personal store
certutil -store My

Group Policy is the most reliable and scalable way to distribute certificates to domain computers.

Step 1: Export the Certificate

If you have not already exported the root CA certificate, do so from the CA server or from any machine that has it installed:

# Export from the certificate store
certutil -store Root "CA Name" C:\certs\rootca.cer

# Or export from a certificate file
# Open certlm.msc, find the certificate, right-click > All Tasks > Export
# Choose DER encoded binary X.509 (.CER) or Base-64 encoded X.509 (.CER)

Step 2: Create or Edit a Group Policy Object

  1. Open Group Policy Management (gpmc.msc)
  2. Either create a new GPO or edit an existing one
  3. Link the GPO to the domain (for all computers) or a specific OU (for targeted distribution)

Step 3: Import the Certificate

  1. In the GPO Editor, navigate to: 
    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
  2. Right-click Trusted Root Certification Authorities and select Import…
  3. Browse to the certificate file (.cer, .crt, or .p7b)
  4. Complete the import wizard, ensuring the store is set to Trusted Root Certification Authorities

Step 4: Distribute Intermediate Certificates (If Needed)

If the CA chain includes intermediate certificates, import them separately:

  1. Navigate to: 
    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities
  2. Import the intermediate CA certificate(s)

Step 5: Verify Distribution

After Group Policy refreshes (up to 90 minutes, or force it immediately):

# Force Group Policy update
gpupdate /force

# Verify the certificate is in the store
certutil -store Root "Your CA Name"

# Or check via PowerShell
Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*Your CA*" }

Method 2: Using certutil Command Line

For one-off installations or scripting without Group Policy:

Add a Certificate to the Trusted Root Store

# Add to machine Trusted Root store (requires admin)
certutil -addstore Root C:\certs\rootca.cer

# Add to machine Intermediate store
certutil -addstore CA C:\certs\intermediate.cer

# Add to current user's Trusted Root store
certutil -user -addstore Root C:\certs\rootca.cer

Remove a Certificate

# Remove from Trusted Root store by serial number
certutil -delstore Root "SerialNumberHere"

Script for Multiple Machines

Combine with PowerShell remoting for bulk deployment:

$computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=corp,DC=example,DC=com"
$certPath = "\\fileserver\share\certs\rootca.cer"

foreach ($computer in $computers) {
    Invoke-Command -ComputerName $computer.Name -ScriptBlock {
        param($cert)
        certutil -addstore Root $cert
    } -ArgumentList $certPath
}

Method 3: Active Directory Certificate Services (AD CS)

If your organization runs its own PKI, Active Directory Certificate Services provides automatic trust for all domain members.

Enterprise CA Automatic Trust

When you install an Enterprise CA (integrated with Active Directory):

  1. The root CA certificate is automatically published to AD
  2. All domain-joined computers trust the CA automatically through the NTAuth store
  3. No manual GPO configuration is needed for the enterprise CA certificate

Installing AD CS

# Install the AD CS role
Install-WindowsFeature AD-Certificate -IncludeManagementTools

# Configure as an Enterprise Root CA
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 10

Publishing Third-Party Certificates to AD

You can publish external root certificates to Active Directory so all domain members trust them:

# Publish to AD's NTAuth store
certutil -dspublish -f C:\certs\external-root.cer RootCA

# Publish an intermediate CA
certutil -dspublish -f C:\certs\external-intermediate.cer SubCA

This publishes the certificate to the CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=example,DC=com container in AD.

Verify AD-Published Certificates

# View certificates published in AD
certutil -viewstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=example,DC=com"

Trusted Root CAs vs. Intermediate CAs

Understanding the certificate chain is essential for proper distribution:

Certificate Chain Structure

Root CA Certificate (Self-signed, in Trusted Root store)
  └── Intermediate CA Certificate (Signed by Root, in Intermediate store)
        └── Server/Client Certificate (Signed by Intermediate, in Personal store)

What Goes Where

  • Root CA certificates go in the Trusted Root Certification Authorities store
  • Intermediate CA certificates go in the Intermediate Certification Authorities store
  • Server certificates go in the Personal (My) store on the server

Common Mistake: Missing Intermediate Certificates

A common issue is that the root CA is trusted but the intermediate is missing. The client cannot build the complete chain, resulting in trust errors. Always distribute both the root and intermediate certificates.

PowerShell Certificate Management

Import Certificates via PowerShell

# Import to machine Trusted Root store
Import-Certificate -FilePath "C:\certs\rootca.cer" `
    -CertStoreLocation Cert:\LocalMachine\Root

# Import to machine Intermediate store
Import-Certificate -FilePath "C:\certs\intermediate.cer" `
    -CertStoreLocation Cert:\LocalMachine\CA

# Import a PFX (certificate with private key)
Import-PfxCertificate -FilePath "C:\certs\server.pfx" `
    -CertStoreLocation Cert:\LocalMachine\My `
    -Password (ConvertTo-SecureString "password" -AsPlainText -Force)

List and Search Certificates

# List all trusted root certificates
Get-ChildItem Cert:\LocalMachine\Root

# Find certificates expiring within 30 days
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
    $_.NotAfter -lt (Get-Date).AddDays(30)
}

# Find certificates by subject
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
    $_.Subject -like "*Corp Root CA*"
}

Remove Certificates

# Remove by thumbprint
Get-ChildItem Cert:\LocalMachine\Root\AB1234567890ABCDEF | Remove-Item

Best Practices

  • Use Group Policy for domain environments — It is the most reliable, auditable, and scalable method.
  • Deploy an Enterprise CA with AD CS for internal certificate needs rather than relying on self-signed certificates.
  • Distribute both root and intermediate certificates to avoid incomplete chain errors.
  • Monitor certificate expiration — Root CAs typically have long lifetimes (10-20 years), but track them to avoid surprise expirations.
  • Limit what you add to the Trusted Root store — Every certificate in this store is fully trusted. Only add CAs you genuinely trust.
  • Test in a staging OU first — Before deploying certificates domain-wide, test the GPO on a subset of computers.

Summary

Distributing trusted root certificates across a domain eliminates the need for manual installation on each computer. Group Policy is the recommended approach for Active Directory environments — import the certificate into the appropriate policy and let GP push it to all targeted machines. For organizations with internal PKI needs, AD CS provides automatic trust distribution for enterprise CAs. Always distribute the complete certificate chain (root and intermediate CAs) and verify deployment with certutil or PowerShell.