none
Automating CA certificate installtion

    Question

  • Hello,

    In an attempt to add our root and intermediate CA certificates on the machines of VPN users, I am writing a vbscript that when run on the client machines would copy the certificates over and install them. As this script would execute every time the user logs into the network, I would like to check for the presence of these certificates and install them only is they are not present. This is where I am running into problems. I am using the following statement to check for the presence of the root certificate on the machines,

    certutil -store root <Certificate fingerprint or serial number> - For users with admin privileges
    certutil -user -store root <Certificate fingerprint or serial number> - For users without admin privileges


    In both the cases, if the cert if present, the command pops up a dialog which says "Exporting your private signature key" . This is obviously a problem since, I cannot expect users to deal with it every time they log on. I do not get the pop up when I check the presence of an intermediate CA certificate using,

    certutil -store CA <Certificate fingerprint or serial number> - For users with admin privileges
    certutil -user -store CA <Certificate fingerprint or serial number> - For users without admin privileges

    I have tried to find a way to check the presence silently but have not been successful. I would appreciate any help on this!!

    Thanks,
    -p

    Addendum: Just wanted to add something that I just observed - The pop up does not come up for all root certificates. I tried a test certificate and it worked smoothly. When I tried comparing the properties of the 2 certificate the only diff. I could see was that the one that was bringing up the prompt had its 'Certificate Template Name" as CA while the other did not have any template in its properties. The problem is that my production root certificate is bringing up the prompt :-(
    Friday, December 25, 2009 12:12 AM

Answers

  • unfortunately certutil utility does not shipps with Windows XP installation (require to install support tools). Therefore there is two ways for you:
    1) you must include certutil.exe utility with your VPN connection installation package
    2) use CAPICOM COM interfaces in VBS script. I'm just PowerShell guy and not so familiar with VBS. However I have a sample of code:
    Set Store = CreateObject ("CAPICOM.Store")
    set Certificate = CreateObject ("CAPICOM.Certificate")
    Certificate.Load "path\file.cer"
    Store.Open 1,"root",1
    Store.Add Certificate
    Store.Close
    not tested, but should work. In your case you just need to change a location of certificate to be imported (in Certificate.Load line). For further script assistance please post your scripting-related questions on Scripting Guys forum.
    http://www.sysadmins.lv
    Monday, December 28, 2009 6:34 PM
  • Hi,

    If you need further assistance regarding scripting, I suggest that you post to The Official Scripting Guys Forum. They are the best resource for assistance.

    The Official Scripting Guys Forum!
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, December 29, 2009 3:17 AM
    Moderator

All replies

  • Can you answer to this:
    1) Does your clients are the part of any AD domain?
    2) Does your clients are the part of your organization?

    As I see there are several ways to goal this:
    1) use CAPICOM.Store COM object to retrieve certificate objects where you can determine if this certificate already exist. And constructin if/then/else statements you can check if certificate is already installed and abort another commands or else - install certificate.

    However you must be aware in a fact that CAPICOM id partially deprecated starting with Windows Vista and completely deprecated in Windows 7.

    2) use Windows PowerShell and it's internal cert:\ provider and X509Store class in X509Certificates namespace. There is simple example:
    # for example, our Root CA certificate thumbprint is ABCDEF123
    # passing current user store to pipeline to determine if particular certificate
    # is already installed. If cert is installed, abort any other commands. Otherwise
    # we add certificate to store.
    if (-not (dir cert:\currentuser\root | Where-Object {$_.Thumbprint -eq "ABCDEF123"})) {
        # create X509Certificate2 object that will represent our certificate object
        $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
        # import certificzte from file to X509Certificate object
        $cert.Import("c:\rootca.cer")
        # create X509Store object that will represent our certificate store. In this case we
        # just open Trusted Root CAs container in Current User store
        $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "CurrentUser"
        # open this store in ReadWrite mode
        $store.Open("ReadWrite")
        # and write this certificate to store
        $store.Add($cert)
        # for some things it is strongly recommended to close store when writing is finished
        $store.Close()
    }
    However this requires that PowerShell must be installed on each machine and execution policy (within Powershell) allow to run your scripts. By default Windows Powershell is installed on Windows 7/2008R2 only.
    http://www.sysadmins.lv
    Friday, December 25, 2009 8:58 AM
  • Hi Vladims,

    Thank you for your help. The clients are remote VPN users so are not part of our AD infrastructure. I am not sure what do you mean when you say, are they part of my organization? If you mean are they employees, then YES.

    Unfortunately, 99.99% of the end user systems will be running Win XP so powershell is not the solution. Will it be possible for me to accomplish the above using VBScript or Batch? I am not very familiar with either of them so just wanted to check.

    BTW, what do you think might be the reason for some certificates bringing up the dialog and the others not? I feel this has something to do with 'Key Protection' explained here - http://blogs.technet.com/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx but I am baffled as to why do 2 certificates created the same way (Although on diff. systems, domains and group policy) exhibit different behavior.

    Thanks,
    Praful.
    Monday, December 28, 2009 2:29 PM
  • unfortunately certutil utility does not shipps with Windows XP installation (require to install support tools). Therefore there is two ways for you:
    1) you must include certutil.exe utility with your VPN connection installation package
    2) use CAPICOM COM interfaces in VBS script. I'm just PowerShell guy and not so familiar with VBS. However I have a sample of code:
    Set Store = CreateObject ("CAPICOM.Store")
    set Certificate = CreateObject ("CAPICOM.Certificate")
    Certificate.Load "path\file.cer"
    Store.Open 1,"root",1
    Store.Add Certificate
    Store.Close
    not tested, but should work. In your case you just need to change a location of certificate to be imported (in Certificate.Load line). For further script assistance please post your scripting-related questions on Scripting Guys forum.
    http://www.sysadmins.lv
    Monday, December 28, 2009 6:34 PM
  • Hi,

    If you need further assistance regarding scripting, I suggest that you post to The Official Scripting Guys Forum. They are the best resource for assistance.

    The Official Scripting Guys Forum!
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, December 29, 2009 3:17 AM
    Moderator