Re: Certificate Installation Question

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 11/05/04 

Date: Thu, 4 Nov 2004 18:59:24 -0800

For that task you need to request a certificate for your clients. You can do
it through a web page or with some automation tools "CertUtil.exe" which
ships with Windows server 2003, might be a better choice in this case

If you clients are members of the domain, you can do this through Group
Policy and AutoEnrollment. That would save you a lot of time

Another option is to issue your users SmartCards, which contain the needed
certificate. This might be a better choice if you're seeking greater level
of security 

-- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no rights
Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and 
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask 
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate 
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
      =============================================
"CG" <cg@cg.com> wrote in message 
news:O8ICTsowEHA.3012@TK2MSFTNGP10.phx.gbl...
> Sam -
>
> that tool looks exactly like what I need to have the certs "packaged" with 
> my CMAK install.
>
> Do you know if I can be used to deploy a Client Authentication certificate 
> to my users local store? If so, what is the syntax and how does it handle 
> the private keys?
>
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message 
> news:%23Yyph1cwEHA.1192@tk2msftngp13.phx.gbl...
>> look for a tool called Certificate manager tool: 
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatemanagertoolcertmgrexe.asp
>> use it with this command line:
>>
>> certmgr -add RootCert.cer -r localMachine -s root
>>
>> -- 
>>      =============================================
>>  This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>      =============================================
>>
>> "CG" <cg@cg.com> wrote in message 
>> news:eG$qciawEHA.3668@tk2msftngp13.phx.gbl...
>>>I can do that - no problem.
>>>
>>> However, for my users, is there a way I can automate this so that it 
>>> goes to the correct store? Is there a command line utility that I can 
>>> import this cert to? And if there is, what are the commands to make that 
>>> happen?
>>>
>>> We are going to try to package a config so our users can run it and not 
>>> have to interact with it.
>>>
>>> Thanks Sam.
>>>
>>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message 
>>> news:eGZgeBTwEHA.3084@TK2MSFTNGP10.phx.gbl...
>>>> When you import the certificate, just click "View physical store" and 
>>>> expand trusted root certificate authority and select machine store
>>>>
>>>>
>>>> -- 
>>>>      =============================================
>>>>  This posting is provided "AS IS" with no warranties, and confers no 
>>>> rights.
>>>>      =============================================
>>>>
>>>> "CG" <cg@cg.com> wrote in message 
>>>> news:%23fSk9LRwEHA.3768@TK2MSFTNGP10.phx.gbl...
>>>>>I am using the Certificate Services webpage for my users to sign up and
>>>>> download their certs (we aren't running AD). The Client Authentication 
>>>>> cert
>>>>> gets installed in the Local Computer store right where it is supposed 
>>>>> to be.
>>>>> When they download the CA certification path it is installed ONLY in 
>>>>> the
>>>>> Current User store. This is the case whether they click the "Install 
>>>>> this CA
>>>>> certification path" link or if they click the "Download CA 
>>>>> certification
>>>>> path" and import with the wizard. If they have the Wizard 
>>>>> automatically
>>>>> decide to put the cert where it is supposed to go it always installs 
>>>>> it in
>>>>> the Current User store. When I try to authenticate with the Client
>>>>> Authentication cert in the local store and the CA in the Current User 
>>>>> I get
>>>>> an error 786. I export the CA from the Current User store and import 
>>>>> it into
>>>>> the Local Computer into Trusted CA and everything works fine.
>>>>>
>>>>> My question is- is there anyway to have the Trusted CA to into the 
>>>>> Local
>>>>> Computer store? Is this configurable on the CA server somewhere?
>>>>>
>>>>> With the CMAK - is it possible to build a config that includes the 
>>>>> certs and
>>>>> will put them into the Local Computer store?
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Active Directory Federation Services
    ... that is associated with their profile and the machine itself has a store. ... Just wanted to let you know that I got the cert problem fixed. ... the user certificate store. ... FSP was looking for certs in the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issues with SSL on Win CE 5.0
    ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
    (microsoft.public.windowsce.embedded)
  • Re: Issues with SSL on Win CE 5.0
    ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
    (microsoft.public.windowsce.embedded)
  • Re: Radius Server
    ... > so I'm guessing the client needs the Server Certificate, ... > export it from the server and import it to the client. ... >> But if you deployed EAP-TLS, you need a server cert and a client ...
    (microsoft.public.windows.server.networking)