Can Bigfix be used to deploy a certificate. The certificate needs to appear in the “Trusted Root Certification Authority” folder on windows 2000, xp and 2003 computers. Basically I need to add this to 24000 machines.
I believe that these certificates are “public” and therefore can be easily distributed through BES without any security concerns (can anyone confirm this for me?)
So the only trick is finding the right action… Does anyone know of a command-line option or folder location to add a certificate? If so, we can help with the action…
For certs w/ private key, another tool would have to be used, like WinHttpCertCfg. If you can confirm these commands work to install the certs, then it should be straight forward to setup an action script to download the cert and run the appropriate command.
We’re trying to do this also… I can run the vbs outside of BigFix fine but not within BigFix… Here is the example for the cert deployment with the name *** out…
createfile until END_OF_SCRIPT
Dim oShell
Set oShell = WScript.CreateObject(“WScript.Shell”)
A couple of possibilities: If what you have above is the entirety of your action, you are not executing the script. Aside from that, the script doesn’t appear to live in the same directory as certmgr.exe and foo.cer, so it can’t find them.
You can indeed do this, but certmgr is a dead-end that I already explored.
The trusted root certificates are stored under “HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates”. Each cert has its own unique entry under it. When adding a cert, just monitor changes to the registry using whatever method you use for this and you will see the new key appear under there. There will then be an binary value named “Blob” under the key. Export the key and write a fixlet to import that entry into the registry. I have the fixlet checking for the existence of the key (it is always the same name for each cert) in the registry and established it as a policy, so our root CA cert is always imported onto new machines.
One thing to keep in mind when importing a certificate via double clicking it in Windows is that the default action is to import the cert into the personal store. That will just affect the currently logged on user. What you will most likely want to do is import the cert into the local computer store. Instead of automatically placing the cert, click “Place all certificates in the following store” and “Browse”, then “Show physical stores”, select “Trusted Root Certification Authorities” and then “Local Computer”.
Hopefully that helps some folks out-- it works great here.
If the machines are part of a Windows domain, create a computer policy (Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.) This is the easiest and fastest approach.
This alternative method can be used regardless of domain membership. If your target machines are XP, 2000, and/or 2003, you get the certutil.exe, certcli.dll, and certadm.dll (package them with your custom task) off a Windows 2003 server, you can use the certutil utility to do the import. CertUtil
Options
-addstore CertificateStoreName InFile
Note: If you have Vista, Win7, and/or Windows 2008 target machines, you’ll need to use the corresponding W2k8 utilities.
BrianK - I know about the registry location for the cer and I have found it but it does not show up under “Trusted Root Certification Authorities” when I do a registry file push. So when you go to “Trusted Root Certification Authorities”, do you see the cer in there when you do the registry file push?
JonL - We are moving away from the large amounts of GPO’s garbage within our environment and will not be using more than 3 GPO’s (USERS, COMPUTERS and SERVERS) based on the regional locations. Most of the the thing within GPO’s will be handled during application packaging.
Yes, the certificate is immediately available to any application that uses the windows certificate stores. If you hit refresh, you will also see it in the store. The only thing I can think of is that you may be looking in the personal certificate store rather than the computer certificate store, which is the key that I mentioned in my post. I prefer writing to the computer store so the certificate is available to all users and services, though obviously this would not be the preferred method for something like a “client” certificate.
Are you installing the certificate in the user’s store or the local computer store? The relevance I use to check if it is installed looks at the same key you mentioned, so I bet that is what is happening.
A good way to do this is a combination of a task and analysis. Create a task to dump out the metadata of the desired certificate store to a file, then parse the results with an analysis.
Sample Task to dump certificate data. Note that “My” can be replaced with “CA” or “Root” to dump the desired info. If you need to query additional details, add “-v” for verbose output.
delete __appendfile
delete c:\cert\certinfo.bat
appendfile @echo off
appendfile c:
appendfile cd\
appendfile cd cert
appendfile certutil -store My > certinfo.log
copy __appendfile c:\cert\certinfo.bat
wait c:\cert\certinfo.bat
The corresponding analysis can be as simple as:
Property: content of file “c:\cert\certinfo.log” contains “”
Relevance: exists file “c:\cert\certinfo.log”
In my situation, I look for the template name issued by our enterprise CA as the unique criteria. That way I can tell if autoenrollment would successful for a given certificate.
What I’ve found works pretty well for the relevance is :
value “Version” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components{EF289A85-8E57-408d-BE47-73B55609861A}” of native registry as string < "