Trying to push a SSL cert to all the machines in my domain. i have the cert file just need some help on the steps needed to install.
1 Like
step 1: figure out how you’d manually do this from command line
step 2: tell bigfix to do step 1
If they are domain-joined, the easiest way to establish trust is via PKI GPO. Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
If you want to do it via Bigfix, for Windows computers, attach the cert as a package, then use certutil commands, vbs, or powershell to import it.
To a Root CA cert for example:
waithidden cmd /C certutil.exe -addstore -f Root __download<RootCAfile>.cer
If you are talking about enrolling for unique SSL certs for each machine, then I recommend setting up a Microsoft Enterprise Certificate Authority structure integrated into your domain. This works very well. I maintain an array of CAs that service the thousands of endpoints in our environment. If the PKI structure is setup properly, it can be leveraged for users, mobile devices, network devices in addition to servers and workstations.
In our environment, I have different certificate templates set up in Active Directory based on the class and role of system. Via a GPO, computers and users autoenroll to their respective certificate templates. Once the unique certs are local to each system, then I run scripts in Bigfix to update bindings, whether IIS or WebLogic, to use the new cert instead of the expiring one.