Self sign certificate to enroll user and import - Powershell, vb or GPO

.We have a application that does signature signing that requires a self signed certificate.  The certificate has to be unique to the user and would also like to to extend the default 365 days out to 20 years.

So to clarify, the steps I would take as manual process would be to go to certmgr.msc
Under Personal> Certificates>right click request new certificate.  Going through the menu, I select Active Directory. enrollment and select "Users".  A self signed cert is not created under my name under personal>certificates.

I would prefer a powershell script to push this out, or if there is a GPO option that would be fantastic.  Open to vb script as well if it can get the job done.

I have attached a word document with screenshots as better explanation.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
self signed certificate or one from a local Certificate Authority.. there is a huge difference.
Powershell Certificate scripting

if you want to change the certificate life then you have to modify the user template in the CA and change it there.
tools2teachAuthor Commented:
A certificate authority is what I think I meant.  Would it be possible to do this group policy objects?
tools2teachAuthor Commented:
Sorry....I'm a newbie when it comes to certificates.  The powershell script command to request and import a certificate is a little confusing.  Does anyone have a sample script that I could look at.  Basically want a a script for the above purpose.  Please see attached screenshot as it explains my situation better.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Will SzymkowskiSenior Solution ArchitectCommented:
GPO would be the most appealing method of deployment and ADCS works hand-in-hand with GPO, which is the recommended way to push out certs. See the link below for addtional steps on how to accomplish this.

tools2teachAuthor Commented:
Thank you.... I looked at this option but the only thing that The cert needs to be a user signed certificate to go into the personal instead of the trusted root.  If I can make it work in GPO then that would make life a whole lot easier.  Am I missing the boat here?

I'm reading various  methods of of doing this by using makecert.exe from sdk.
David Johnson, CD, MVPOwnerCommented:
Do you have a local Certificate Authority .. is ADCS running on one of your servers?
tools2teachAuthor Commented:
when I mean "user signed" I mean it has to be issued to that specific user who is logged into his/her workstation.  

Ex. Issued to John Doe
tools2teachAuthor Commented:
Yes, I have ADCS running on the domain controller.
tools2teachAuthor Commented:
Ok, i have the standard edition of server 2008 with ADCS role installed.  It's my understanding that I will not be able to create custom/duplicate templates and autoenroll through GPO.

Can you confirm this?
Will SzymkowskiSenior Solution ArchitectCommented:
You can put the cert in whatever store you want using GPO. Just select the Personal Store.

GPO is the best way for this.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tools2teachAuthor Commented:
Thanks for the replies.  The issue with GPO that I am finding out is that we are using a Windows 2008 standard for ADCS.  We won't be able to take advantage of the certificate templates and autoenrollment through GPO unfortunately.   I need to find a script that would be able to do what we need.
tools2teachAuthor Commented:
Maybe it would be a whole lot easier to implement enterprise ADCS into our environment.  Do you foresee any issues running to ADCS into our enviroment?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.