push out p12 certificate to computers on windows 2008 domain

trying to eliminate some administrative overhead here...  

Have a client that we exchange information with (via web based portal) using a certificate that they have provided to our company.  We have incorporated this functionality into another web based application.

When we import the .p12 certificate they provided manually on a computer, everything works fine, however we have been trying to get it to push out using a domain policy rather than manually installing this thing on every computer, and when it expires, repeating the process.

Efforts to add it to the domain policy editor under
>  computer configuration/windows settings/Public Key Policies/Trusted Root Certification Authorities
results in it effectively not being installed (though looking on the computer it is there, the web page simply does not display because the certificate is not there... catch 22).

Manually going to a computer and importing the certificate, everything works as expected.

Thoughts, ideas, something I am misunderstanding?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
Try setting "Certificate Services Client - Auto-Enrollment" to  Enabled

ParanormasticCryptographic EngineerCommented:
OK, I'm just cringing here.  Why do you want to deploy a P12 file issued from another company to everything/lots of things in your network?  This is not good security and/or something isn't set up right if they need you to do this.  If everyone has the private key to the same cert installed then they can all sniff each others' traffic...

That being said... You can't really deploy it via GPO since it needs a password.  you could use a logon script to run 'certutil -p PASSWORD -importpfx filename.pfx'  -- note you need to put the password for the p12 into that script which is another bad idea.

If it was just the cert instead of a p12 (i.e. if there wasn't the private key) then you could deploy as a root cert via GPO.  If the private key is not needed then that would be the way to go.

If they need a cert that is trusted by them to contact your clients for something they are hosting or for a client authentication cert, then look into setting up your own CA to issue proper certificates and have their box import your root CA certificate and deploy your root CA cert via GPO to your clients.  Take the security of your clients that you are responsible for into your own hands.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.