Link to home
Start Free TrialLog in
Avatar of mhmservices
mhmservicesFlag for United States of America

asked on

Using GPO to deploy certificates

The IT team has been asked to set up some sort of secure email system and after some research we have determined that we have the resources to set up our own CA. My question is how can we harness GPO to deploy certificates to our users?
Avatar of Abhay Pujari
Abhay Pujari
Flag of India image

Yes, you can do this through group policy. Follow following Microsoft articles
http://technet.microsoft.com/en-us/library/cc770315.aspx  and
http://technet.microsoft.com/en-us/library/cc782744.aspx
ASKER CERTIFIED SOLUTION
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You may also have to go this route to deploy certificates:

To install certificates for IE using Group Policy, you can do the following... essentially, you'll have a logon script allocated via the GP...
 
 ---------------------
 The four files required to make the automatic installation possible are explained in detail below. In summary, they are:
   1. a Windows batch file or user profile logon script
   2. a copy of the Microsoft CAPICOM library (i.e. CAPICOM.dll)
   3. a Windows Scripting Host compatible script to perform the import (e.g. blah.vbs)
   4. a PKCS#12 certificate store file (e.g. cert.p12)
 These files can be stored in any convenient location. For example, they could be located on a network share called \\server\share, or temporarily copied onto each target PC.
 ---------------------
 
 In order to automate the installation or removal of digital certificates, you will need CAPICOM 2.0 or above. CAPICOM is a free Microsoft component which allows allows scripts to perform encryption and signing, as well as manage Windows' system key stores.
 It is distributed by Microsoft via their website as a single DLL file, CAPICOM.dll, and requires each target machine to be running Windows XP, 2000, ME, 98 or NT 4.0 (Service Pack 4 or above) or 98. Internet Explorer 5 or above with support for 128-bit SSL is also required. These instructions are not compatible with Opera or Netscape-based browsers, which use their own internal storage for certificates.
 
 To obtain CAPICOM.dll:
   1. Download the CAPICOM installer from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=860EE43A-A843-462F-ABB5-FF88EA5896F6 
   2. Run cc21inst.EXE to unpack the contents into a directory called CAPICOM 2.1.0.1.
   3. Copy the file CAPICOM 2.1.0.1\x86\capicom.dll to your preferred location
   4. Optionally: Copy the file CAPICOM 2.1.0.1\samples\vbs\blah.vbs to your preferred location (see under Windows Scripting Host, below)
 
 Before CAPICOM can be used, the DLL must be installed ('registered') on each target PC. This is achieved using the regsvr32 command-line utility. This can be performed once as part of a mass installation, or it can be manually registered and unregistered each time the logon script runs.
 
 To register CAPICOM.dll:
   1. Copy CAPICOM.dll to a suitable location (e.g. c:\winnt\system32)
   2. Open a Command Prompt window
   3. Change to the directory where CAPICOM.dll is installed
   4. Enter the command:
      regsvr32 CAPICOM.dll
   5. You should see the message "DllRegisterServer in CAPICOM.dll succeeded"
 
 To prevent the dialog box from appearing, use regsvr32 /s CAPICOM.dll instead
 
 As with most DLLs, CAPICOM.dll must be unregistered before it is deleted from the system:
 
 To unregister CAPICOM.dll:
   1. Open a Command Prompt window
   2. Change to the directory where CAPICOM.dll is installed
   3. Enter the command:
      regsvr32 /u CAPICOM.dll
   4. You should see the message "DllUnregisterServer in CAPICOM.dll succeeded"
   5. You can now safely delete CAPICOM.dll, if required
 
 To prevent the dialog box from appearing, use regsvr32 /u /s CAPICOM.dll instead
 
 Windows Scripting Host
 To automate the use of CAPICOM in batch files or logon scripts, you will need Windows Scripting Host (WSH). WSH should already installed by default on the operating systems listed above, but the latest version can also be downloaded from http://msdn.microsoft.com/scripting. WSH provides a command-line utility, cscript.exe for executing script files.
 CAPICOM itself is distributed with a sample VBScript file, CStore.vbs, which is able to import certificates stored in PKCS#12 files into the system. This script can be found in CAPICOM\samples\vbs\CStore.vbs. By default it assumes that certificates are to be imported into or deleted from the current user's MY store, which is where Internet Explorer will look for them when Client Authentication is requested.
 
 To import a PKCS#12 file into the current user's MY store:
   1. Open a Command Prompt window
   2. Change to the directory where CStore.vbs is installed
   3. Enter the command:
      cscript CStore.vbs import certfile password
      where certfile is the name of the PKCS#12 file to be imported, e.g. blah.p12 and password is the password for certfile
   4. You should see the message "1 certificate(s) successfully imported"
 
 To remove a certificate from the current user's MY store:
   1. Open a Command Prompt window
   2. Change to the directory where CStore.vbs is installed
   3. Enter the command:
      cscript CStore.vbs delete -delkey -subject screenonline
   4. Say yes to the deletion confirmation prompt (to avoid the prompt, append -noprompt to the list of options)
   5. You should see the message "1 certificate(s) successfully deleted"
 
 Note: without -delkey only the certificate is deleted; the private key remains
 
 -----------------------------
 Sample Logon Script
 
 The following is a sample batch file which demonstrates linking all the above steps together. It registers CAPICOM, clears any existing blahblah certificates, installs blahblah.p12 and then unregisters CAPICOM. To use this batch file, customise the environment variables at the top and make any other necessary customisations.
 
 @echo off
 
 echo Importing digital licence...
 
 rem Define the file locations as environment variables
 
 set DLLFILE=\\server\share\CAPICOM.dll
 set CSTOREFILE=\\server\share\CStore.vbs
 set CERTFILE=\\server\share\blahblah.p12
 set CERTPASS=**********
 
 rem This step can be omitted if CAPICOM is permanently installed
 
 regsvr32 /s %DLLFILE%
 
 rem Removing any existing blahblah certificates
 
 cscript /nologo %CSTOREFILE% delete -delkey -noprompt -subject blahblah
 
 rem Import the blahblah.p12 certificate with the supplied password
 
 cscript /nologo %CSTOREFILE% import %CERTFILE% %CERTPASS%
 
 rem This step can be omitted if CAPICOM is permanently installed
 
 regsvr32 /u /s %DLLFILE%
 ---------------------------------------
 Common Errors
 
 ActiveX component can't create object: 'CAPICOM.Store'
    CAPICOM.dll has not been correctly registered. See the section on registering above.
 The specified network password is not correct
    The certificate password you entered was incorrect. Please check and try again.
 0 certificate(s) successfully imported/deleted
    The certificate file may be invalid, or the certificate may already have been installed, or deleted.