deploy SSL Certificates to Users Personal Store

Leave a comment

https://www.jasonpearce.com/2012/02/02/import-pfx-certificate-via-group-policy-preferences/

I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).

Next I created a .BAT script named import-certificate.bat which runs this command:

certutil -f -user -p "CertificatePassword" -importpfx "%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx"

I then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

Set oShell = CreateObject ("Wscript.Shell")
Dim strArgs
strArgs = "cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat"
oShell.Run strArgs, 0, false

https://masterxen.wordpress.com/2014/01/07/automatically-deploy-ssl-certificates-to-users-profile/

1. Deployment ScriptsUpdate the variables between <……>

Script 1 – ImportPFX.vbs

Set objShell = CreateObject(“Wscript.shell”)objShell.run(“powershell -executionpolicy bypass -windowstyle hidden -file \\<domain>\netlogon\Certificates\ImportPFX.ps1”)

 

Script 2 – ImportPFX.ps1

function Import-PfxCertificate {
param([String]$certPath,[String]$certRootStore = “CurrentUser”,[String]$certStore = “My”,$pfxPass = $null)
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
if ($pfxPass -eq $null) {$pfxPass = read-host “Enter the pfx password” -assecurestring}
$pfx.import($certPath,$pfxPass,”Exportable,PersistKeySet”)
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.open(“MaxAllowed”)
$store.add($pfx)
$store.close()
}

#*=============================================================================
#* SCRIPT BODY
#*=============================================================================
# Call the “Import-PfxCertificate” function.

Import-PfxCertificate “<path to certificate>\<Certificate.pfx>” “CurrentUser” “My” “<password>


Import-PfxCertificate Command Syntax

Import-PfxCertificate

<path to certificate>\<Certificate.pfx>” = Location of the Certificate File

“CurrentUser”                                                        = Personal User Store

“My”                                                                           = Personal Cert Store

<Password>”                                                       = Password of the PFX Certificate

2. Deploy Script via GPO

I created an additional GPO and modified the Logon Script path to run the vbs file above.

User Configuration > Policies > Windows Settings > Scripts > Logon

– Script Name: \\<domain>\NETLOGON\Certificates\ImportPFX.vbs

2a. Apply Security to GPO

In our case we wanted to deploy the certificates to users in a certain AD Group.

Follow this procedure exactly otherwise the GPO won’t apply

  1. Under Security Filtering leave Authenticated Users, do not remove!!
  2. Click Delegation tab
  3. Click Advanced button
  4. Select Authenticated Users, untick ‘Apply Group Policy’ under Allow only
  5. Add in AD Group, tick ‘Apply Group Policy’ under Allow
  6. If you go back to Security Filtering you’ll notice Authenticated Users has now gone and your AD Group is listed, don’t worry about this..

 

No Comments

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *