Windows Server utility tool certutil.exe. RRS feed

  • Question

  • The environment and the objectives:

    1. Windows 2003/2008 Domain Controller and Active Directory.
    2. A Domain admin wants to deploy a third-party CA Root certificate and a client certificate issued by the CA using a GPO.
    3. The Root CA certificate is not one of the default entities in the Windows cert store (Trusted Root Certificate Authorities).
    4. The client certificate is issued by the CA with a password assigned to it, which must be used when it is installed.
    5. The Domain admin creates a GPO to deploy the certificates to Windows XP and Windows 7 client machines (in the domain).
    6. There is no issue deploying the Root CA certificate to the client machines.
    7. The issue is with the client certificate deployment.

    Our current deployment method:

    1. A Domain admin creates a logon script and put it in the %LogonServer%\NetLogon directory on the server.
    2. The domain admin creates a GPO in which the logon script is assigned to its Logon scrip (User Configuration – Windows Settings – Scripts – Logon)
    3. We deploy the password-protected client certificate to the client machines using the GPO.
      1. It must be installed in admin users’ CURRENT_USER and LOCAL_MACHINE Personal cert stores during the user’s logon via the GPO.
      2. It must be installed in restricted users’ CURRENT_USER Personal cert store during the user’s logon via the GPO.
    1. The batch script has the password to the client certificate hard-coded in it.
    2. The batch script uses the Windows Server utility tool (certutil.exe) to install it.
    3. This method works fine in terms of functionality and performance.

    The security concern we have:

    1. The %LogonServer%\NetLogon directory is open to every authenticated user. Although it requires authentication (Kerberos) for a user to be able to have the read access to the logon script describe above.

    A better solution / alternative method we’re seeking:

    1. A way to deploy a password-protected client certificate without exposing the password to the non-admin users.
    2. This should be done through a GPO.
    Monday, December 12, 2011 5:57 PM

All replies

  • Get the 3rd party to have the end user generate the key pair as part of their request. Use credential roaming to get the certificates on other machines securely.
    Wednesday, December 21, 2011 3:23 AM