Avatar of bjones8888
bjones8888Flag for United States of America asked on

Digital Signature / Certificate Deployment

I have Outlook Add-Ins (DLLs) that I need to deploy to client networks.  I have them digitally signed (Verisign certificate). Our deployment method is that a user launches our program, which checks a server for updates and copies them to the desktop if necessary. The problem is that they get a warning message from Outlook saying that another program is trying to access e-mail (or contacts) and prompts them to allow or not.  If they manually install our certificate from the dll, the message is circumvented.  But having thousands of users do that is not preferable.  

How can I instruct the network administrators to deploy my certificate so that this message doesn't come up?  (Some are using Active Directory, and some not.)

I've read something about certutil, but don't know enough to say whether the following statement is the preferred deployment method:

certutil -addstore root mycert.der

Is there a better way, or is this the best way?  (I also could use Advanced Installer, if that helps.)
SoftwareOutlookSystem Utilities

Avatar of undefined
Last Comment
Paranormastic

8/22/2022 - Mon
Paranormastic

For GPO:
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

For non-GPO - are these all windows or some linux, etc.?  If Linux, I would look into openssl for your scripting method.  Openssl has versions that run using the same context for pretty much every OS.

Note that workstation OS do not have certutil installed - you would need to deploy the 2003 or 2008 adminpak.  Pretty much any automated method will require that you deploy additional software, tho.

For scripts, this is pretty slick - look for the cert.pl utility on the page:
http://unattended.sourceforge.net/apps.php
ASKER
bjones8888

If certutil is used as part of a login script, for example (Windows OS), couldn't that be run from somewhere other than the local machine, but act on the local machine, without having to distribute certutil?  For example:

\\Server\Util\certutil -addstore root mycert.der
ASKER CERTIFIED SOLUTION
Paranormastic

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck