I am contemplating adding AD CA role to our server and using GPO to add a self signed, trusted certificate to all internal clients (to ease testing)... Some of the related questions regarding this are:
My question is, will using GPO to "push" self signed cert only work for Internet Explorer or will it work for any browser from clients? Also, will it allow client trusts in case of non-browser applications (such as web service clients)?
It will make Windows any clients joined to your domain trust your certificate authority as a Trusted Root CA, so any certificates your CA issues are automatically trusted by your computers. Anything that asks Windows if a certificate is trusted will trust the root certificate, but not all browsers do this.
For example, Internet Explorer will trust the certificate, as will Outlook (for example an Exchange AutoDiscover certificate) however Firefox does not trust the certificate and holds its own list of trusted certificates. It all depends on individual browser implementation I'm afraid.
Normally you can import trusted root certificates into an application if it uses its own list of trusted certificates, but again this is implementation dependant.
Trust is computer-wide, so it will be valid for uses other than IE (depending on the type of cert). After you create the CA you can deploy the root certificate via a GPO: How do I deploy an internal certificate authority?