[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 597
  • Last Modified:

Pushing down certificates using AD into user personal certificate store

Hi Experts,

How can we push a third party client authentication certificate (used for 2 way SSL) using AD to a user's personal certificate store?
0
arunmagic
Asked:
arunmagic
1 Solution
 
Dave HoweSoftware and Hardware EngineerCommented:
Yes. Certificates in the user's personal store are just registry keys, so can be pushed using group policy.

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates

(system certificates are in a similar place on HKLM)

note, these are just the certificates, not including private keys.
0
 
arunmagicAuthor Commented:
How do we push down the certificates and privake keys (like in a pfx file)?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
if you need to push those, I think you are more likely to want to look at using a login script and something like CertUtil - there is a way to do this with powershell too, but its pretty complex (requires you to call the applicable dotnet libraries directly) so a batch file with certutil is probably your easiest route.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
arunmagicAuthor Commented:
So where do I keep the certificates in this case?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
pfx files? probably on the NETLOGON administrative share on the domain controllers (which is the classic location for login scripts and their attendant administrivia)
0
 
gheistCommented:
Why sould you ever see user's provate key? Why you want  to compromise your security by issuing users your private keys?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
@gheist:
  There are times that is advisable - certainly, if the key is used for business purposes, you will want a recovery mechanism in place in case the device crashes, the employee leaves or any other case where the employee is unwilling or unable to unlock data secured to that key.

  None of that prevents the user creating and using their own keys for private/personal purposes.
0
 
Donald StewartNetwork AdministratorCommented:
Here's how I do it:

Create a share and place capicom.dll and cstore.vbs in it

Then a logon script with the following

@ECHO OFF
if exist c:\windows\system32\capicom.dll goto next
:copy
copy "\\server\certificates\capicom.dll" "C:\windows\system32\"
:next
regsvr32  /s capicom.dll
cscript \\server\certificates\CStore.vbs import \\server\certificates\cert1.pfx P@ssword
cscript \\server\certificates\CStore.vbs import \\server\certificates\cert2.pfx P@ssw0rd

more here

http://www.visualbasicscript.com/m37106-print.aspx
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now