Trusted Root Certificates

(imported topic written by SystemAdmin)


Can Bigfix be used to deploy a certificate. The certificate needs to appear in the “Trusted Root Certification Authority” folder on windows 2000, xp and 2003 computers. Basically I need to add this to 24000 machines.

(imported comment written by BenKus)

Hey Peter,

I believe that these certificates are “public” and therefore can be easily distributed through BES without any security concerns (can anyone confirm this for me?)

So the only trick is finding the right action… Does anyone know of a command-line option or folder location to add a certificate? If so, we can help with the action…


(imported comment written by sthull)

It looks like CertMgr from MS .Net Framework Tools can be used for certificate public keys, using a command like:

certmgr -add -all -c “MyCA.p7b” -s -r localMachine Root

For certs w/ private key, another tool would have to be used, like WinHttpCertCfg. If you can confirm these commands work to install the certs, then it should be straight forward to setup an action script to download the cert and run the appropriate command.

(imported comment written by RoBolton91)

We’re trying to do this also… I can run the vbs outside of BigFix fine but not within BigFix… Here is the example for the cert deployment with the name *** out…

createfile until END_OF_SCRIPT

Dim oShell

Set oShell = WScript.CreateObject(“WScript.Shell”)

oShell.Run(“certmgr.exe -add -c ****.cer -s -r localMachine root”)


copy __Download\Proxy_Cert\certmgr.exe

copy __Download\Proxy_Cert****.cer

delete Cert_Deploy.vbs

move __createfile Cert_deploy.vbs

What am I missing…

(imported comment written by RoBolton91)

no reply… I’m not breaking new ground here…

(imported comment written by pmullins91)


no reply… I’m not breaking new ground here…

A couple of possibilities: If what you have above is the entirety of your action, you are not executing the script. Aside from that, the script doesn’t appear to live in the same directory as certmgr.exe and foo.cer, so it can’t find them.

(imported comment written by SystemAdmin)

You can indeed do this, but certmgr is a dead-end that I already explored.

The trusted root certificates are stored under “HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates”. Each cert has its own unique entry under it. When adding a cert, just monitor changes to the registry using whatever method you use for this and you will see the new key appear under there. There will then be an binary value named “Blob” under the key. Export the key and write a fixlet to import that entry into the registry. I have the fixlet checking for the existence of the key (it is always the same name for each cert) in the registry and established it as a policy, so our root CA cert is always imported onto new machines.

One thing to keep in mind when importing a certificate via double clicking it in Windows is that the default action is to import the cert into the personal store. That will just affect the currently logged on user. What you will most likely want to do is import the cert into the local computer store. Instead of automatically placing the cert, click “Place all certificates in the following store” and “Browse”, then “Show physical stores”, select “Trusted Root Certification Authorities” and then “Local Computer”.

Hopefully that helps some folks out-- it works great here.

(imported comment written by SystemAdmin)

If the machines are part of a Windows domain, create a computer policy (Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.) This is the easiest and fastest approach.

This alternative method can be used regardless of domain membership. If your target machines are XP, 2000, and/or 2003, you get the certutil.exe, certcli.dll, and certadm.dll (package them with your custom task) off a Windows 2003 server, you can use the certutil utility to do the import. CertUtil


-addstore CertificateStoreName InFile

Note: If you have Vista, Win7, and/or Windows 2008 target machines, you’ll need to use the corresponding W2k8 utilities.

(imported comment written by RoBolton91)

BrianK - I know about the registry location for the cer and I have found it but it does not show up under “Trusted Root Certification Authorities” when I do a registry file push. So when you go to “Trusted Root Certification Authorities”, do you see the cer in there when you do the registry file push?

JonL - We are moving away from the large amounts of GPO’s garbage within our environment and will not be using more than 3 GPO’s (USERS, COMPUTERS and SERVERS) based on the regional locations. Most of the the thing within GPO’s will be handled during application packaging.

(imported comment written by SystemAdmin)


Yes, the certificate is immediately available to any application that uses the windows certificate stores. If you hit refresh, you will also see it in the store. The only thing I can think of is that you may be looking in the personal certificate store rather than the computer certificate store, which is the key that I mentioned in my post. I prefer writing to the computer store so the certificate is available to all users and services, though obviously this would not be the preferred method for something like a “client” certificate.

(imported comment written by SystemAdmin)

Is there a way to check if a certificate has already been installed?

I’m installing it in Trusted and am unable to locate it in “HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates”.

(imported comment written by SystemAdmin)

Are you installing the certificate in the user’s store or the local computer store? The relevance I use to check if it is installed looks at the same key you mentioned, so I bet that is what is happening.

(imported comment written by SystemAdmin)

Good question, I don’t know. I’m using the following command to install it

certutil -addstore root mycert2011.cer

Is there a way for me to find out?

(imported comment written by SystemAdmin)

A good way to do this is a combination of a task and analysis. Create a task to dump out the metadata of the desired certificate store to a file, then parse the results with an analysis.

Sample Task to dump certificate data. Note that “My” can be replaced with “CA” or “Root” to dump the desired info. If you need to query additional details, add “-v” for verbose output.

delete __appendfile

delete c:\cert\certinfo.bat

appendfile @echo off

appendfile c:

appendfile cd\

appendfile cd cert

appendfile certutil -store My > certinfo.log

copy __appendfile c:\cert\certinfo.bat

wait c:\cert\certinfo.bat

The corresponding analysis can be as simple as:

Property: content of file “c:\cert\certinfo.log” contains “”

Relevance: exists file “c:\cert\certinfo.log”

In my situation, I look for the template name issued by our enterprise CA as the unique criteria. That way I can tell if autoenrollment would successful for a given certificate.

(imported comment written by cstoneba)

What I’ve found works pretty well for the relevance is :

value “Version” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components{EF289A85-8E57-408d-BE47-73B55609861A}” of native registry as string < "

…and then I just install KB931125