Solved

Pushing down certificates using AD into user personal certificate store

Posted on 2014-03-19
8
565 Views
Last Modified: 2014-05-20
Hi Experts,

How can we push a third party client authentication certificate (used for 2 way SSL) using AD to a user's personal certificate store?
0
Comment
Question by:arunmagic
8 Comments
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
Yes. Certificates in the user's personal store are just registry keys, so can be pushed using group policy.

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates

(system certificates are in a similar place on HKLM)

note, these are just the certificates, not including private keys.
0
 

Author Comment

by:arunmagic
Comment Utility
How do we push down the certificates and privake keys (like in a pfx file)?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
if you need to push those, I think you are more likely to want to look at using a login script and something like CertUtil - there is a way to do this with powershell too, but its pretty complex (requires you to call the applicable dotnet libraries directly) so a batch file with certutil is probably your easiest route.
0
 

Author Comment

by:arunmagic
Comment Utility
So where do I keep the certificates in this case?
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
pfx files? probably on the NETLOGON administrative share on the domain controllers (which is the classic location for login scripts and their attendant administrivia)
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Why sould you ever see user's provate key? Why you want  to compromise your security by issuing users your private keys?
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
@gheist:
  There are times that is advisable - certainly, if the key is used for business purposes, you will want a recovery mechanism in place in case the device crashes, the employee leaves or any other case where the employee is unwilling or unable to unlock data secured to that key.

  None of that prevents the user creating and using their own keys for private/personal purposes.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Here's how I do it:

Create a share and place capicom.dll and cstore.vbs in it

Then a logon script with the following

@ECHO OFF
if exist c:\windows\system32\capicom.dll goto next
:copy
copy "\\server\certificates\capicom.dll" "C:\windows\system32\"
:next
regsvr32  /s capicom.dll
cscript \\server\certificates\CStore.vbs import \\server\certificates\cert1.pfx P@ssword
cscript \\server\certificates\CStore.vbs import \\server\certificates\cert2.pfx P@ssw0rd

more here

http://www.visualbasicscript.com/m37106-print.aspx
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now