Re: Certificate Installation Question

From: CG (cg_at_cg.com)
Date: 11/05/04 

Date: Fri, 5 Nov 2004 10:21:32 -0500

Is it possible to have a local computer Client Authentication certificate
installed using CertUtil.exe? It needs to be in the local computer store. I
have the cert as a file (when I created the cert I made it exportable).

What I am trying to do is to create a package with CMAK and have the certs
install (Client Authentication as well as the Trusted CA) as well as setup
the VPN connection. I do not necessarily need to have a different cert for
each user. Unfortunately, most of the VPN users aren't part of the domain.

Thanks again.

"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
news:u$hL5NuwEHA.1192@tk2msftngp13.phx.gbl...
> For that task you need to request a certificate for your clients. You can
> do it through a web page or with some automation tools "CertUtil.exe"
> which ships with Windows server 2003, might be a better choice in this
> case
>
> If you clients are members of the domain, you can do this through Group
> Policy and AutoEnrollment. That would save you a lot of time
>
> Another option is to issue your users SmartCards, which contain the needed
> certificate. This might be a better choice if you're seeking greater level
> of security
>
>
> --
> =============================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using
> and troubleshooting RADIUS using IAS"
> This chat will help you resolve all of your RADIUS/IAS issues. You can ask
> about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
> services, related to IAS and RADIUS
> Follow this link to join the chat
> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
> =============================================
>
> "CG" <cg@cg.com> wrote in message
> news:O8ICTsowEHA.3012@TK2MSFTNGP10.phx.gbl...
>> Sam -
>>
>> that tool looks exactly like what I need to have the certs "packaged"
>> with my CMAK install.
>>
>> Do you know if I can be used to deploy a Client Authentication
>> certificate to my users local store? If so, what is the syntax and how
>> does it handle the private keys?
>>
>>
>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>> news:%23Yyph1cwEHA.1192@tk2msftngp13.phx.gbl...
>>> look for a tool called Certificate manager tool:
>>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatemanagertoolcertmgrexe.asp
>>> use it with this command line:
>>>
>>> certmgr -add RootCert.cer -r localMachine -s root
>>>
>>> --
>>> =============================================
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> =============================================
>>>
>>> "CG" <cg@cg.com> wrote in message
>>> news:eG$qciawEHA.3668@tk2msftngp13.phx.gbl...
>>>>I can do that - no problem.
>>>>
>>>> However, for my users, is there a way I can automate this so that it
>>>> goes to the correct store? Is there a command line utility that I can
>>>> import this cert to? And if there is, what are the commands to make
>>>> that happen?
>>>>
>>>> We are going to try to package a config so our users can run it and not
>>>> have to interact with it.
>>>>
>>>> Thanks Sam.
>>>>
>>>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>>>> news:eGZgeBTwEHA.3084@TK2MSFTNGP10.phx.gbl...
>>>>> When you import the certificate, just click "View physical store" and
>>>>> expand trusted root certificate authority and select machine store
>>>>>
>>>>>
>>>>> --
>>>>> =============================================
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>> =============================================
>>>>>
>>>>> "CG" <cg@cg.com> wrote in message
>>>>> news:%23fSk9LRwEHA.3768@TK2MSFTNGP10.phx.gbl...
>>>>>>I am using the Certificate Services webpage for my users to sign up
>>>>>>and
>>>>>> download their certs (we aren't running AD). The Client
>>>>>> Authentication cert
>>>>>> gets installed in the Local Computer store right where it is supposed
>>>>>> to be.
>>>>>> When they download the CA certification path it is installed ONLY in
>>>>>> the
>>>>>> Current User store. This is the case whether they click the "Install
>>>>>> this CA
>>>>>> certification path" link or if they click the "Download CA
>>>>>> certification
>>>>>> path" and import with the wizard. If they have the Wizard
>>>>>> automatically
>>>>>> decide to put the cert where it is supposed to go it always installs
>>>>>> it in
>>>>>> the Current User store. When I try to authenticate with the Client
>>>>>> Authentication cert in the local store and the CA in the Current User
>>>>>> I get
>>>>>> an error 786. I export the CA from the Current User store and import
>>>>>> it into
>>>>>> the Local Computer into Trusted CA and everything works fine.
>>>>>>
>>>>>> My question is- is there anyway to have the Trusted CA to into the
>>>>>> Local
>>>>>> Computer store? Is this configurable on the CA server somewhere?
>>>>>>
>>>>>> With the CMAK - is it possible to build a config that includes the
>>>>>> certs and
>>>>>> will put them into the Local Computer store?
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Certificate Services and Synching with Exchange
    ... Yes, installing the cert and self-signing worked, but only because ... Yes, I had to manually export and install it, but it was trivially ... You export the cert from the MMC to a .cer file. ... Will installing Certificate Services and self-signing a certificate ...
    (microsoft.public.pocketpc.activesync)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
    (microsoft.public.windows.server.sbs)
  • Re: CertSrv Question
    ... In my case as posted earlier I didn't install a stand alone CA, ... In effect I want to revert everything on the domain to just before the root ... it replicated a certificate to the ... >>>The reason most likely is that the CA cert is still there in the NTAuth ...
    (microsoft.public.win2000.security)
  • Re: Require SSL certificate
    ... This will be true if running under SSL. ... Once a web cert is associated with a site, it doesn't need to be installed ... > I have a website and a security certificate, i install the security> certificate for the site. ...
    (microsoft.public.dotnet.framework.aspnet.security)