none
Install pfx cert in user personal store via gpo

    Question

  • I've looked through tons of blogs, websites, forums, etc and still cannot get my certificate to install.

    I placed my cert in the personal snap-in on the server (2012 R2), created a GPO to install the MSI package which went smooth and also create a GPO to install the certificate yet I still don't see it appearing in my personal certs in the registry.

    Here's the scripts i ran

    import-cert.bat

    certutil -f -user -p password -importpfx %LOGONSERVER%\netlogon\certificates\mycompany.pfx

    import-certificate-slightly.vbs

    Set oShell = CreateObject ("Wscript.Shell") 
    Dim strArgs 
    strArgs = "cmd /c %LOGONSERVER%\netlogon\Certificates\import-certificate.bat" 
    oShell.Run strArgs, 0, false

    Then I created a task under user - preferences to install the cert when the user unlocks the workstation using the admin account.

    Monday, April 25, 2016 6:38 PM

Answers

All replies

  • Hi Tiffc0922,

    You don't need to use a script to install certificates. Export all certificates that comes with your pfx certificate and deploy it following the below link: 

    https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx

    Remember to deploy every certificate in the required contanier (trusted root certificates, subordinated certificates and personal) and use, of course, other certificate extension. DER is OK.

    https://technet.microsoft.com/en-us/library/cc770735.aspx

    Regards


    La respuesta se proporciona "TAL CUAL", sin garantías y no confiere derechos. Es recomendable probar siempre cualquier sugerencia en un entorno de prueba antes de implementar! This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Monday, April 25, 2016 6:55 PM
  • Hi,

    You could deploy user certificates by GPO under the path below.

    User Configuration\Windows Settings\Security Settings\Public Key Policies\ Certificate Services Client - Auto-Enrollment

    For detailed information, you could refer to the article below.

    Deploy User Certificates

    https://technet.microsoft.com/en-us/library/cc770857(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 26, 2016 12:24 PM
    Moderator
  • Thank you but the third party vendor states the best place to put the certificate is in the user store which allows full control.
    Tuesday, April 26, 2016 1:41 PM
  • Hi,

    You could try the script below.

    • set store = CreateObject ("CAPICOM.Store")
    • set cert = CreateObject ("CAPICOM.Certificate")
    • store.Open 2, "My", 2  
    • cert.Load "C:\Pathtocert\Cert.pfx", "Cert Password", 1, 0
    • store.Add cert

    For more information, you could refer to the thread below.

    https://social.technet.microsoft.com/Forums/en-US/563a086e-edf7-4fe4-ba50-bac2a87c6faf/import-pfx-certificate-using-vbscript?forum=ITCG

    In addition, here is an article below about script import certificate for your reference.

    https://gallery.technet.microsoft.com/scriptcenter/import-certificate-file-f09927e5

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 04, 2016 2:00 AM
    Moderator