none
Scripting Group Policy - Adding a Certificate RRS feed

  • Question

  • Hi All

    I've written a fairly extensive PowerShell script to update and configure group policy as we move group policy through our various life-cycle and training environment.  The script is very good at updating any values that are specific to the target environment.  A certificate has recently been deployed using group policy for a particular application, but he certificate is different in each environment so I want to add logic to my GPO script to deal with this.  The certificate exists in a known location in each environment.

    I've found where the certificate is stored in the registry both when it is installed manually or using GPO.  These are:

    HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\<Thumbprint>

    HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates\<Thumbprint>

    I know how to read and edit a group policy using PowerShell using Get-GPRegistryValue and Set-GPRegistryValue, and I can see if I add the certificate to a group policy via GPMC the Registry.pol file gets updated, so I was hoping just add values using these commands.  I also know how to read a certificate from a file and get the thumbprint and the public key and other information out of the certificate.  This is all straight forward.

    Unfortunately I don't know what value to add.  The certificate data is a REG_BINARY blob and most of the data is the certificate public key (I can easily see that).  But there is more data than just the public key ... there appears to be a header or some metadata that is also added to the 'blob' that I don't understand.

    I've tried installing the certificate on the machine where my script runs and then just copy the resulting binary data into the group policy but this doesn't work, when I do this I get an error from GPMC when I try to view the GPO, though I can still open the GPO and add the certificate manually and that fixes the problem.

    I'm not sure if any of this is clear, but I'm hoping someone can help me figure out how to use Powershell to populate a certificate into a Group Policy Object.

    This code below is the proof of concept code I've used to import the certificate locally then copy the binary data to the GPO.  This does not work but may show what I'm trying to do.  I'd much rather just created the value in code and populate the GPO, this was just an idea to try and get the correct binary data.

    This link may give some clues to someone smarter than me: https://namecoin.org/2017/05/27/reverse-engineering-cryptoapi-cert-blobs.html

    Help !!

    $gpo = Get-GPO -Name "Test"
    $GpoName = $gpo.DisplayName
    $GpoGuid = $gpo.id.Guid
    
    $CertificatePath = "C:\Temp\TheCertificate.CER"
    $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $Certificate.Import($CertificatePath)
    
    $rootkey = "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\$($Certificate.Thumbprint)"
    
    try {
       if (!(Test-Path "CERT:\LocalMachines\ScriptingTemp")) {
          Write-Output "Creating temp cert folder"
          New-Item -Path "CERT:\LocalMachine\ScriptingTemp" -ErrorAction Stop | Out-Null
       }
       Import-Certificate $CertificatePath -CertStoreLocation "CERT:\LocalMachine\ScriptingTemp" -ErrorAction Stop | Out-Null
       $importKeyValue = (Get-ItemProperty -Path "HKLM:\Software\Microsoft\SystemCertificates\ScriptingTemp\Certificates\$($Certificate.Thumprint)").Blob
    }
    catch {
       Throw "ERROR ...."
    }
    finally {
        Remove-Item -Path "CERT:\LocalMachine\ScriptingTemp" -ErrorAction Stop | Out-Null
    }
    
    if (!(Get-GPRegistryValue -Guid $GpoGuid -Key $rootkey -ErrorAction SilentlyContinue)) {
       Set-GPRegistryValue -Guid $GpoGuid -Key -$rootkey -ValueName $Certificate.Thumprint -Value $importKeyValue -Type Binary
    }







    • Edited by jsc.19 Wednesday, May 2, 2018 11:23 PM
    Wednesday, May 2, 2018 6:23 AM

All replies

  • I would be surprised if that worked (but as you note, it doesn't).

    According to the namecoin post, there are chunks of that binary blob that are undocumented, and it doesn't provide an actual technique for reading and writing usable certificate data.

    Interesting as this is, I would have to say that (at first glance) what you are trying to do is not documented to work and not supported unless there is a API for it. (This likely needs more research.)

    -- Bill Stewart [Bill_Stewart]

    Wednesday, May 2, 2018 2:30 PM
    Moderator
  • I think you are right Bill.  I've resorted to this post hoping somewhere, someone has figured this out and might provide some clues, but I'm not hopeful.  Thanks!
    Wednesday, May 2, 2018 11:21 PM