Configuring Workgroup Computers with Internal EV Certificates

You know that starting with Windows Server 2008 R2 you can configure your Internal CA to issue Extended Validation (EV) certificates, right ? But what about workgroup computers ? Let’s say you have a few computers in your organization that are not joined to the domain and you want your users to have that green bar in IE. Well…it can be done, but you’ll have to do all the stuff by hand, since you have no Group Policy on those computers.

I presume you already installed an Enterprise Windows CA and configure it for EV certificates. The next step is to export the root certificate, note the thumbprint and the EV OID and put them somewhere for later use. I’m going to open the local computer Certificates Store on a domain computer (Start > Run > mmc.exe), off course with admin rights. Go to the Trusted Root Certification Authorities > Certificates store and double-click the internal root certificate. Once opened, hit the Details tab and note the Thumbprint. Now click the Copy to File button to start the Certificate Export Wizard.

On the Export File Format page, leave the default selection and continue the wizard.

Choose a path where to export the certificate and click Next.

 

And the export was successful.

Back on the Certificate Properties window, click on the Edit Properties button, go to the Extended Validation tab and note the OID.

Now log in to one of your workgroup computers, open the local computer Certificates Store and go to the Trusted Root Certification Authorities > Certificates. Right-click Certificates > All Tasks > Import.

Click Next to skip the Certificate Import Wizard Welcome screen.

Hit the Browse button and provide the root certificate exported earlier. Finish the wizard using the default options.

Now you should have the certificate in the Trusted Root Certification Authorities store on the workgroup computer.

Right-click the certificate and choose Properties. Go to the Extended Validation tab put the OID (noted earlier) and hit Add OID, then OK.

By now, this client should get the green bar if you browse an internal web site that has an EV certificate.

If you don’t want to keep putting the OID in the certificate for the rest of the workgroup computers, you can export the registry key that contains the certificate EV blob. Open the registry editor (Start > Run > regedit) and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates. Here find the key that corresponds to the root certificate thumbprint, and export it.

From now on, what you have to do on the rest of the workgroup computers is just to import the root certificate (in the local computer Certificates Store) and the .reg file. You don’t have to keep writing down thumbprints and OID’s.