OPNsense – Transparent Caching Filtering Proxy with Virus Scanning – Step 9 CA Cert Deployed with GPO

Posted on Posted in HowTo
Introduction: Basic Overview
Step 1 – Prerequisites
Step 2 – Install ClamAV
Step 3 – Configure OPNsense
Step 4 – Add Antivirus Scanning
Step 5 – Add Category Filtering
Step 6 – Make it Transparent
Step 7 – Add HTTPS Filtering
Step 8 – Optional – SSL Scanning
Step 9 – Optional – Deploy CA GPO
Step 10 – Final steps

This is a pretty long guide, even before I added images, so it is broken it into sections. I hope it is easy to follow; if you find any errors, please Contact us!

Step 9 – OPTIONAL – Deploy CA Certificate with GPO

This assumes you are using a Windows Active Directory and want all computers in the environment to obtain the proxy cert automatically. This process works for deploying any cert via GPO, not just a Proxy cert.

  1. Open Group Policy Management Console
  2. Find the location you want to create the GPO for (which is a Computer based Policy), right click the OU, and click Create a GPO in this domain, and Link it here. I only wanted it to apply to a specific server group.
  3. Name the GPO. I like to name it “PC – purpose”, where PC means it is a Computer Policy, but keep to your organization standards.
  4. Right-click the new GPO and click Edit.
  5. Expand Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Settings, and click on Trusted Root Certification Authorities.
  6. Right click Trusted Root Certification Authorities and click Import.
  7. Click Next
  8. Select the CA Cert you exported from OPNsense in Step 8. Click Next.
  9. Ensure Place all certificates in the following store is slected, and also ensure it says Trusted Root Certification Authorities in the box. Click Next.
  10. Click Finish
  11. You should now see the cert in the GPO.
  12. If you have more than one AD server, ensure they have all synced. Easiest way is to verify the new GPO exists in the other servers.
  13. Now, from a test PC, if you open the Certificates manager (using MMC same as you did in Step 8), then you can see the cert may not be in Trusted Root Certification Authorities->Certificates yet. If not, Open a command prompt (does Not need to be as admin) and run this:
    gpupdate /force
  14. Once that completes, right-click Certificates in MMC, and Click Refresh. You should now see the OPNsense cert in the Trusted Root Certification Authorities->Certificates.
  15. Now open your browser, access a HTTPS site, and view the certificate. You will see no cert error and you will see the OPNsense cert in use.

This completes Step 9.

Tagged with: , ,