Solved

Pushing down certificates using AD into user personal certificate store

Posted on 2014-03-19
8
584 Views
Last Modified: 2014-05-20
Hi Experts,

How can we push a third party client authentication certificate (used for 2 way SSL) using AD to a user's personal certificate store?
0
Comment
Question by:arunmagic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39939736
Yes. Certificates in the user's personal store are just registry keys, so can be pushed using group policy.

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates

(system certificates are in a similar place on HKLM)

note, these are just the certificates, not including private keys.
0
 

Author Comment

by:arunmagic
ID: 39939747
How do we push down the certificates and privake keys (like in a pfx file)?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39939804
if you need to push those, I think you are more likely to want to look at using a login script and something like CertUtil - there is a way to do this with powershell too, but its pretty complex (requires you to call the applicable dotnet libraries directly) so a batch file with certutil is probably your easiest route.
0
Limited time offer using promo code EXPERTS25

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through August 31, 2017, Experts Exchange members get 25% off the US7220 on the ATEN USA eShop using promo code EXPERTS25.

 

Author Comment

by:arunmagic
ID: 39939824
So where do I keep the certificates in this case?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39939873
pfx files? probably on the NETLOGON administrative share on the domain controllers (which is the classic location for login scripts and their attendant administrivia)
0
 
LVL 62

Expert Comment

by:gheist
ID: 39940404
Why sould you ever see user's provate key? Why you want  to compromise your security by issuing users your private keys?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39941786
@gheist:
  There are times that is advisable - certainly, if the key is used for business purposes, you will want a recovery mechanism in place in case the device crashes, the employee leaves or any other case where the employee is unwilling or unable to unlock data secured to that key.

  None of that prevents the user creating and using their own keys for private/personal purposes.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 39978338
Here's how I do it:

Create a share and place capicom.dll and cstore.vbs in it

Then a logon script with the following

@ECHO OFF
if exist c:\windows\system32\capicom.dll goto next
:copy
copy "\\server\certificates\capicom.dll" "C:\windows\system32\"
:next
regsvr32  /s capicom.dll
cscript \\server\certificates\CStore.vbs import \\server\certificates\cert1.pfx P@ssword
cscript \\server\certificates\CStore.vbs import \\server\certificates\cert2.pfx P@ssw0rd

more here

http://www.visualbasicscript.com/m37106-print.aspx
0

Featured Post

WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question