Pushing a PFX Presonal Certificate
Jeff Smyrski
third-party and exported for backup and reinstall purposes). I posted on
the Windows 2000 Group Policy newsgroup, they recommended that I post here.
So here goes.
As I mentioned I have PFX certificates assigned to users who log onto
2000 / XP workstations. Currently I have to travel to all of the machines
that a particular user logs into, and Import the PFX certificate onto that
machine, so that the user can access the web sites that require and prompt
for these. I am interested in automating this process with a logon script
that I can enforce on a user by user basis using Active Directory GPO. In
this way no matter where the user logged in, I could push the certificate to
that machine, and to take it a step further, when they log off I could
remove the certificate from the same machine.
Does anyone have ideas how this could be done?
Thanks,
Jeff Smyrski
Eric Shen [MSFT]
As I understand, you would like to import certificate from command line. Is
this correct? To implement this, you can use the command line of utility:
CertMgr.exe. This application has the ability to import certificates from
command line. You can use it in the logon script to deploy the certificate.
Normally, the command would looks like:
certmgr -add -c a:\test.cer -s -r localMachine root
There are ways to deploy the cert via login script. The first plan will
work if users are local administrators. The second plan is appropriate if
they are not.
1. Export the CA's certificate into a .cer file.
2. Place the .cer file into the NETLOGON share of your domain controllers.
3. Place a copy of certmgr.exe into the NETLOGON share of your domain
controllers.
4. Create or add to an existing login script the following command:
%logonserver%\NETLOGON\certmgr -add -c
%logonserver%\NETLOGON\<filename>.cer -s -r localMachine root
- You may need to adjust the command to meet your requirement. For more
information on its syntax, please refer to the following:
http://msdn.microsoft.com/library/en-us/security/security/using_certmgr.asp
http://msdn.microsoft.com/library/en-us/security/security/certmgr.asp
- Note: The user may be prompted to confirm the import for some security
situation. Have them select yes.
To obtain this certmgr utility, you can find it in .NET framework 1.1 SDK
or Microsoft Platform SDK from the following:
http://www.microsoft.com/downloads/details.aspx?familyid=9b3a2ca6-3647-4070-
9f41-a333c6b9181d
http://www.microsoft.com/msdownload/platformsdk/sdkupdate/
I hope this addresses your concerns. Please feel free to let me know if
there is anything further I can do for you. I look forward to hearing from
you.
Regards,
Eric Shen
Product Support Services
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! - www.microsoft.com/security
Jeff Smyrski
There are as it looks two type of .cer exports, the
problem is that these are personal certificates. I say
this because if I could get a cer out of the pfx, then I
could use the name mappings in Active Directory to pust
the certificate via policy.
THe pfx is designed to be present when a user hits a web
site that is looking for the Certificate on the local
machine in the Personal Certificates in IE. The user
then selects their name from the list and enters the
password for the certificate to allow access to the site.
I hope this better describes my model, it sounds like we
are on the right track. I am downloading the .Net
framework 1.1 now. Unusual that I have Visual
Studio .Net 2002 upgraded to 2003, and I did not have the
CertMgr installed? Must be it is not included in the
full .Net studio product?
Thanks Eric
Jeff
>.
>
Eric Shen [MSFT]
As I know and tested, CertMgr supports encoded CTL, CRL, or certificate
file (could be base 64 encoded), PKCS #7 file, SPC file, signed document or
serialized storeFile. However, I am not sure if PKCS #12 (pfx) files are
importable. You can try to import it with this utility and let me know how
it works. If this is not supported, you can try to import the pfx file,
export it to cer and then use this file to deploy.
In addition, as you have Visual Studio .NET 2003 installed, you can select
the .NET framework 1.1 SDK to install and this can be found on your 2003
installation CD.
Please try that and then let me know the results. You can test on a single
computer to see if this works. I look forward to hearing from you.
Torgeir Bakken (MVP)
> To obtain this certmgr utility, you can find it in .NET framework 1.1 SDK
> or Microsoft Platform SDK from the following:
>
> http://www.microsoft.com/downloads/details.aspx?familyid=9b3a2ca6-3647-4070-
> 9f41-a333c6b9181d
> http://www.microsoft.com/msdownload/platformsdk/sdkupdate/
Hi
It is available in "Authenticode for Internet Explorer 5.0" as well, a 124 KB
download only...
Authenticode for Internet Explorer 5.0
http://msdn.microsoft.com/downloads/list/security.asp
--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter
Jeff Smyrski
following info.
Install the pfx certificate called "test.pfx" to the personal store for
the current user.
I tried CertMgr /add /c d:\test.pfx personal it says it completed
successfully but who knows where?...lol
Any help is greatly appreciated.
Jeff Smyrski
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:8SRBwIIh...@cpmsftngxa06.phx.gbl...
Steven Liu [MSFT]
Let's do the following steps to check whether the certific is imported.
1. Run mmc
2. Add the Certificates snap-in
Then, find whether the certificate is listed in the certificates in the
computer.
If yes, the command line works.
Thanks for using Microsoft News Group!
Sincerely,
Steven Liu
Microsoft Online Partner Support
MCSE 2000
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Eric Shen [MSFT]
We need to specify the location to import the certificate. Otherwise, it
will be imported into currentUser (the user you run this command as). Check
the following command line argument:
-r <location> The system store location
<currentUser|localMachine> Default to 'currentUser'
--- You command equals to "CertMgr -add -c d:\test.pfx -r currentUser
personal"
In this case, with the command you run, you can use MMC to add the
"Certificates" span-in with "Current User" and then check if it is listed
under "Certificates - Current User"\"Personal"\"Certificates". Here
Personal is the destination folder you specified. If the certificate is
there, it means your command is successfully processed.
As I am out of office for some days last week, Steven is my backup and he
replied you in this thread. Your understanding on this is appreciated.
Please check the information and then let me know the results. I look
Jeff Smyrski
D:\Program Files\Microsoft Visual Studio .NET
2003\SDK\v1.1\Bin>certmgr -add -c
d:\marie.pfx -r currentUser personal
CertMgr Succeeded
Notice that is says the command succeeded, HOWEVER...lol
When I load an mmc console and look at the certificates for current
user/personal there is nothing...
Typing certmgr brings up the certificates window, and that too is blank
under the personal tab...
If the command is succeeding, where on earth is the certificate going?
Thanks
Jeff Smyrski
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:KUK0XJ9i...@cpmsftngxa06.phx.gbl...
Eric Shen [MSFT]
By further experimentation, we need to adjust the command as below:
certmgr -add -c c:\import.cer -s -r currentUser my
#1. -s indicates the target store is a system store. Otherwise, the
information will not be imported to the system store. This is the cause why
you cannot see the imported certificates.
#2. "My" is the name of the Personal folder. The name of Personal folder in
registry is "my".
After that, you can run MMC with Certificates snap-in (instead of Certmgr)
and you will be able to see this certificate under Personal\Certificates of
this user.
Please try that command and then let me know how it works. I look forward
Jeff Smyrski
Well here is what I tried...remember I trying to use a PFX file, if I had a
cer I could just tie it to the NameMappings for Active Directory for the
User and avoid a script all together...I find it hard to believe that this
is looking like it can't be done...anyway here is the out put and result
C:\Documents and Settings\jeff smyrski>certmgr -add -c d:\marie.pfx -s -r
currentUser my
CertMgr Succeeded
C:\Documents and Settings\jeff smyrski>certmgr -add -c d:\marie.pfx -s -r
currentUser personal
CertMgr Succeeded
In either case the the certificate does not show up anywhere...back tothe
drawing board...lol
Jeff Smyrski
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:oCxuPcHj...@cpmsftngxa06.phx.gbl...
Jeff Smyrski
Jeff
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:8kSaWJi...@cpmsftngxa06.phx.gbl...
> Hi Jeff,
>
> I tested with some certificates (.cer) on my side and that was imported
> successfully. I can view and use as normal. Since .pfx is third-party
> certificate, I do not have one on hand. In order to check if this is a
.pfx
> file problem, could you please email the file to me for a test? Therefore,
> I can try to reproduce this issue on my side and see if there is any
> problem with this third-party certificate. My email address is
> eric...@microsoft.com
>
> Thank you for your cooperation and time. I am standing by for your reply.
Eric Shen [MSFT]
I received the pfx and I am testing. Thank you.
Eric Shen [MSFT]
I checked the certificate you sent. I am unable to import it. When I run
certmgr, it prompts me with "Error: Failed to open the source store" and it
fails to be imported. I suspect that this third-party certificate is unable
to be imported successfully. I tried to use mmc with certificate snap-in to
import this certificate; it completes successfully.
Actually, if you only use these certificates on clients, you can import the
key with user interface to cer and then import them to the clients.
I am not sure why you need to deploy this pfx including its certificate
private key to all the clients. If you can let me know the reason why you
do not convert it to a recognizable format as cer, I believe we will be
able to work on this issue more efficiently.
I look forward to hearing from you.
Regards,
Jeff Smyrski
you get it, perhaps you can get back to me before the end of the day, I
would appreciate it.
Jeff
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:tUUOsXwj...@cpmsftngxa06.phx.gbl...
Eric Shen [MSFT]
Thank you for your prompt update.
I checked this PFX you sent to me. It appears that this certificate is
invalid. When I double-click it to import, I am notified with "This is an
invalid Personal Information Exchange file". It actually runs with CertMgr
and returns "CertMgr Succeeded" but nothing is imported. This is because
the certificate Marie.pfx is corrupted or invalid. At this time, I would
suggest you using a valid certificate for further test.
Please let me know if there is anything further I can do for you. I look
Jeff Smyrski
These are valid certificates, the marie.pfx is a personal certificate
that has a password much like the utica.pfx that I sent you prior. My
argument is this, the certmgr program is not running like you expect it to.
If the certificate is imported manually using the import feature of internet
explorer everything works fine. Remember these certificates are for web
access with IE.
I advise not to double click the PFX to install it, apparently they are
not designed to work like this.
Furthermore the message about a successful import is the same message
that I received. Which leads me to believe that the program is not working
the way you think it is, especially when the Third Party Certificate is
imported via Internet Explorer and is put in the personal store no problem.
Jeff
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:1QxcFFTk...@cpmsftngxa06.phx.gbl...
Torgeir Bakken (MVP)
> I advise not to double click the PFX to install it, apparently they are
> not designed to work like this.
I would think that if you can't import a pfx file by double clicking on it, you
can't use CertMgr on it either...
Jeff Smyrski
process of a third party pfx certificate using a script. There must be a
way for this to work, and when you really think about it, why should I have
to travel from building to building to every PC that I think this user will
log into, and manually install the certificate...does that make sense? I
don't think so.
Jeff
"Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
news:3F8C04BB...@hydro.com...
Eric Shen [MSFT]
Actually, the marie.pfx you sent to me is not importable with double-click
or import wizard in Internet Explorer. Before a certificate can be imported
over command line, it should be able to be imported via double-click.
Otherwise, this certificate is useless. The marie.pfx you sent to me is 20
bytes in size and does not contain any valid certificate information.
Meanwhile, since pfx is third-party certificates, they are not fully
supported by certmgr so you may not be able to use this command line to
import it directly. However, if you can import the certificate over the
user interface and then export it to cer format, it would be the easiest
way to deploy the certificate in this format. I believe this can address
your concerns. Please let me know why you don't want to use this approach.
Please let me know if this solves this issue or if you need further
assistance. I look forward to hearing from you.
Jeff Smyrski
should be the test pfx with a password of "password". I think I typed it as
Password instead of password in the email..
If I double click the cert it imports fine for both pfx files.
If I import using IE, it also works fine.
As for turning the PFX into a CER, that method is not supported by the third
party, this also puts the impetus on Microsoft that if they allow such keys
to be imported / installed via CertMgr.EXE (GUI from run dialog box) then
the command line for CertMgr should also work. BTW, I tested this both ways
and it works for me, it just seems that the command line will not do the
same thing.
Please let me know if you get these files okay.
Thanks
Jeff Smyrski
""Eric Shen [MSFT]"" <eric...@online.microsoft.com> wrote in message
news:Pu8RrUt...@cpmsftngxa06.phx.gbl...
Eric Shen [MSFT]
Thank you for your update.
I checked the marie.pfx and it is a valid one. However, since it is a
third-party certificate in pfx format, it is not importable under CertMgr
command line. It returns the same error as Utica.pfx with "Failed to open
the source store"
Actually, the third-party certificates in pfx format are not fully
supported under Command Line. These third-party certificates need high
security protection with password and they are designed to be imported via
user interface in order to protect private key. CertMgr only provides
limited command line support to these third-party certificates.
In this scenario, I suggest you import the certificate via user interface
(UI) and the export to .cer without private key. Therefore, you can deploy
them to the clients with CertMgr. Since private key is only used for the
server, public key is enough to allow the client to connect.
Moreover, if you need this kind of feature to implement your task to import
the pfx file, you can try to program. However, for this kind of development
issue, it would best be address in the Developer newsgroups:
http://msdn.microsoft.com/newsgroups/default.asp
You can check the referred SDK at below:
http://msdn.microsoft.com/library/en-us/security/security/cryptography_refer
ence.asp
I hope this helps.
Martin Jakob
I'm trying something quite similar. And i just found in the Platform SDK the
"CAPICOM".
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/intcapicom.asp
In the Platform SDK directory (Microsoft SDK\Samples\security\capicom) you
can find some examples for different programming languages, the CStore.vbs
script looks very promising to me :)
cheers
Martin
"Jeff Smyrski" <jsmy...@bankofutica.com> wrote in message
news:u2sBcLE...@tk2msftngp13.phx.gbl...