I have a need to add a self-signed certificate (from an internal system) to the Trusted Root User store for every user on all Windows 7 machines in my environment. The application system that requires this has a browser based app client that connects to the server via SSL. The app vendor recommends having every user add the certificate to their store individually but we'd like to pre-provision the certificate to remove the need for user's to interact with the messages. If a user interacts with the message and chooses to install the certificate, you can see the certificate in IE under the Trusted Root certificates but it does not show in the machine trusted store.
We've attempted to add the certificate via Group Policy Computer Configuration Public Key policies which works for getting the cert in the trusted store for the machine but doesn't not work for the application. The certificate has to be in the user's Trusted Root store separate from the certificate being in the Machine's trusted root store.
We've also thought about using our internal CA to deploy a certificate for this app that will be inherently trusted by every workstation in our environment but the app provider says that we can't put an internal CA cert on the server that hosts this app.
I have created a Group Policy registry preference and scoped it to users. I can see with Group Policy Preference registry trace logging enabled that the policy is getting processed and applied successfully on all PC. However on some PCs, the certificate displays in the proper store and everything is good to go. On other PCs, the certificate is not displayed in IE or if I look at the registry at HKCU\Software\Microsoft\SystemCertificate\Root\Certificates. So I don't think the issue is group policy.
On PCs that are not working, if I perform a GPUPDATE, and refresh the registry I see the key for the certificate in the correct place but if I wait a few minutes or if I open the user certificate store in IE, the key is automatically removed from the registry.
Can someone help me understand what is going on and how to stop the certificate from being removed?
Thanks,
Michael
