Solved

How can I install a .pfx ssl certificate so that all users in a citrix / terminal services environment have access to it?

Posted on 2009-07-15
10
9,001 Views
Last Modified: 2013-12-08
Hello all. I need to install a .pfx certificate for all users. The
problem: when I install it, it is only available for the user who
installed, not for the rest.

Can this be done installing the .pfx one time only, or do I have to
install the same certificate for EVERY user??? If so, any ideas about how
can I automate the installation of the certificate for every user?

The environtment is W2K3-SP2, CPS4.5.
0
Comment
Question by:ppsdit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
10 Comments
 
LVL 14

Accepted Solution

by:
amichaell earned 250 total points
ID: 24868644
We use certutil to import our certificate.  We're doing a .cer, though you should be able to do a .pfx as well.  Upon user logon a batch file executes with the command below.  

c:\certutil\certutil.exe -addstore root c:\certutil\svcert.cer

You'll need to modify the paths at the least.
0
 
LVL 37

Assisted Solution

by:Carl Webster
Carl Webster earned 250 total points
ID: 24868656
Follow these instructions to import the .pfx file

open mmc, (start>run>mmc) and open the certificates snap in.

Select "local computer account" when prompted

You will then see on the left, certificates, please select the "personal" folder.

Right click the "personal" folder and select all "tasks>Import"

Find the .pfx file you saved previously and import the certificate and private key into the MMC
0
 

Author Comment

by:ppsdit
ID: 24871543
Carl, Thank you for your insight.  I am a bit confused however, where are you suggesting that I run this procedure?  On each citrix server?  Would that be available for all users?

Thanks
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 37

Expert Comment

by:Carl Webster
ID: 24871639
Yes, on each Citrix server.  Since you are using the local computer it _should_ install for all users.  I have seen other Citrix foum postings that say this will need to be done for every user.
0
 

Author Comment

by:ppsdit
ID: 24873389
Unfortunately I do not see the cretificate in IE when I install it the way you described, Carl.  And when I go to the site Ithat the cert is for, it says it can't find a certificate.
Any idea why that might be?
0
 

Author Comment

by:ppsdit
ID: 24875249
the following script works perfectly:
c:\windows\system32\certutil -user -p password -importpfx -f \\server\path\cert.pfx
however it only works for local/domain administrators.

When I try running this as a logon script via group policy it does not correctly add the certificate to the personal store of the local user (and there is no enty in the certutil.log file).
When I try running as an admin user it does not seem to add the cert to the personal store.

Any advice would be greatly appreciated.

thanks,
0
 
LVL 37

Assisted Solution

by:Carl Webster
Carl Webster earned 250 total points
ID: 24897964
Try CAPICOM from Microsoft:

http://msdn.microsoft.com/en-us/library/ms995332.aspx

then use the cstore.vbs in a batch file to import the certificate.
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 24898012
0
 

Author Comment

by:ppsdit
ID: 24928249
Thank you for your suggestions.  In the end, I couldn't spend much more time on this.  The CAPICOM option seems promising but I decided I needed to find a different solution.
This is what I did:
I downloaded a fully encpsulated thinapp version of firefox from thindownload.com
I am easily able to manually add the certificates to each users' profile in firefox (I was able to do so in IE but the page would not display properly).  I have not yet figured out how to do so with a script but since I was just going to publish that thinapp via citrix to about a dozen users, so I did it manually this time.  Thank you for all your help.

0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question