arunmagic
asked on
Pushing down certificates using AD into user personal certificate store
Hi Experts,
How can we push a third party client authentication certificate (used for 2 way SSL) using AD to a user's personal certificate store?
How can we push a third party client authentication certificate (used for 2 way SSL) using AD to a user's personal certificate store?
ASKER
How do we push down the certificates and privake keys (like in a pfx file)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So where do I keep the certificates in this case?
pfx files? probably on the NETLOGON administrative share on the domain controllers (which is the classic location for login scripts and their attendant administrivia)
Why sould you ever see user's provate key? Why you want to compromise your security by issuing users your private keys?
@gheist:
There are times that is advisable - certainly, if the key is used for business purposes, you will want a recovery mechanism in place in case the device crashes, the employee leaves or any other case where the employee is unwilling or unable to unlock data secured to that key.
None of that prevents the user creating and using their own keys for private/personal purposes.
There are times that is advisable - certainly, if the key is used for business purposes, you will want a recovery mechanism in place in case the device crashes, the employee leaves or any other case where the employee is unwilling or unable to unlock data secured to that key.
None of that prevents the user creating and using their own keys for private/personal purposes.
Here's how I do it:
Create a share and place capicom.dll and cstore.vbs in it
Then a logon script with the following
@ECHO OFF
if exist c:\windows\system32\capico m.dll goto next
:copy
copy "\\server\certificates\cap icom.dll" "C:\windows\system32\"
:next
regsvr32 /s capicom.dll
cscript \\server\certificates\CSto re.vbs import \\server\certificates\cert 1.pfx P@ssword
cscript \\server\certificates\CSto re.vbs import \\server\certificates\cert 2.pfx P@ssw0rd
more here
http://www.visualbasicscript.com/m37106-print.aspx
Create a share and place capicom.dll and cstore.vbs in it
Then a logon script with the following
@ECHO OFF
if exist c:\windows\system32\capico
:copy
copy "\\server\certificates\cap
:next
regsvr32 /s capicom.dll
cscript \\server\certificates\CSto
cscript \\server\certificates\CSto
more here
http://www.visualbasicscript.com/m37106-print.aspx
HKEY_CURRENT_USER\Software
(system certificates are in a similar place on HKLM)
note, these are just the certificates, not including private keys.