Re: Certificate Installation Question
From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 11/05/04
- Previous message: CG: "Re: Certificate Installation Question"
- In reply to: CG: "Re: Certificate Installation Question"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 5 Nov 2004 11:50:00 -0800
CertMgr is the tool to use if you have the certificate on a file, almost
same command line just point to current user store (-r currentuser) (or
don't specify it, it's the default)
Command looks like: certmgr -add test.cer -s my
--
=============================================
This posting is provided "AS IS" with no warranties, and confers no rights
Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
=============================================
"CG" <cg@cg.com> wrote in message
news:eQ4uhs0wEHA.1452@TK2MSFTNGP11.phx.gbl...
> Is it possible to have a local computer Client Authentication certificate
> installed using CertUtil.exe? It needs to be in the local computer store.
> I have the cert as a file (when I created the cert I made it exportable).
>
> What I am trying to do is to create a package with CMAK and have the certs
> install (Client Authentication as well as the Trusted CA) as well as setup
> the VPN connection. I do not necessarily need to have a different cert for
> each user. Unfortunately, most of the VPN users aren't part of the domain.
>
> Thanks again.
>
>
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
> news:u$hL5NuwEHA.1192@tk2msftngp13.phx.gbl...
>> For that task you need to request a certificate for your clients. You can
>> do it through a web page or with some automation tools "CertUtil.exe"
>> which ships with Windows server 2003, might be a better choice in this
>> case
>>
>> If you clients are members of the domain, you can do this through Group
>> Policy and AutoEnrollment. That would save you a lot of time
>>
>> Another option is to issue your users SmartCards, which contain the
>> needed certificate. This might be a better choice if you're seeking
>> greater level of security
>>
>>
>> --
>> =============================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using
>> and troubleshooting RADIUS using IAS"
>> This chat will help you resolve all of your RADIUS/IAS issues. You can
>> ask about RADIUS, IAS, 802.1x, Active directory configuration and
>> Certificate services, related to IAS and RADIUS
>> Follow this link to join the chat
>> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>> =============================================
>>
>> "CG" <cg@cg.com> wrote in message
>> news:O8ICTsowEHA.3012@TK2MSFTNGP10.phx.gbl...
>>> Sam -
>>>
>>> that tool looks exactly like what I need to have the certs "packaged"
>>> with my CMAK install.
>>>
>>> Do you know if I can be used to deploy a Client Authentication
>>> certificate to my users local store? If so, what is the syntax and how
>>> does it handle the private keys?
>>>
>>>
>>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>>> news:%23Yyph1cwEHA.1192@tk2msftngp13.phx.gbl...
>>>> look for a tool called Certificate manager tool:
>>>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatemanagertoolcertmgrexe.asp
>>>> use it with this command line:
>>>>
>>>> certmgr -add RootCert.cer -r localMachine -s root
>>>>
>>>> --
>>>> =============================================
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>> =============================================
>>>>
>>>> "CG" <cg@cg.com> wrote in message
>>>> news:eG$qciawEHA.3668@tk2msftngp13.phx.gbl...
>>>>>I can do that - no problem.
>>>>>
>>>>> However, for my users, is there a way I can automate this so that it
>>>>> goes to the correct store? Is there a command line utility that I can
>>>>> import this cert to? And if there is, what are the commands to make
>>>>> that happen?
>>>>>
>>>>> We are going to try to package a config so our users can run it and
>>>>> not have to interact with it.
>>>>>
>>>>> Thanks Sam.
>>>>>
>>>>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>>>>> news:eGZgeBTwEHA.3084@TK2MSFTNGP10.phx.gbl...
>>>>>> When you import the certificate, just click "View physical store" and
>>>>>> expand trusted root certificate authority and select machine store
>>>>>>
>>>>>>
>>>>>> --
>>>>>> =============================================
>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>> =============================================
>>>>>>
>>>>>> "CG" <cg@cg.com> wrote in message
>>>>>> news:%23fSk9LRwEHA.3768@TK2MSFTNGP10.phx.gbl...
>>>>>>>I am using the Certificate Services webpage for my users to sign up
>>>>>>>and
>>>>>>> download their certs (we aren't running AD). The Client
>>>>>>> Authentication cert
>>>>>>> gets installed in the Local Computer store right where it is
>>>>>>> supposed to be.
>>>>>>> When they download the CA certification path it is installed ONLY in
>>>>>>> the
>>>>>>> Current User store. This is the case whether they click the "Install
>>>>>>> this CA
>>>>>>> certification path" link or if they click the "Download CA
>>>>>>> certification
>>>>>>> path" and import with the wizard. If they have the Wizard
>>>>>>> automatically
>>>>>>> decide to put the cert where it is supposed to go it always installs
>>>>>>> it in
>>>>>>> the Current User store. When I try to authenticate with the Client
>>>>>>> Authentication cert in the local store and the CA in the Current
>>>>>>> User I get
>>>>>>> an error 786. I export the CA from the Current User store and import
>>>>>>> it into
>>>>>>> the Local Computer into Trusted CA and everything works fine.
>>>>>>>
>>>>>>> My question is- is there anyway to have the Trusted CA to into the
>>>>>>> Local
>>>>>>> Computer store? Is this configurable on the CA server somewhere?
>>>>>>>
>>>>>>> With the CMAK - is it possible to build a config that includes the
>>>>>>> certs and
>>>>>>> will put them into the Local Computer store?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Previous message: CG: "Re: Certificate Installation Question"
- In reply to: CG: "Re: Certificate Installation Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
