Pushing a PFX Certificate to Users

[Jeff]

I am interested in using a GP or script to push an
Internet Explorer (exported) PFX Certificate that is
issued by web sites outside of the domain.

As a bank we use several web enabled companys for
performing tasks, such as ordering checks from Deluxe.

Deluxe issues a Certificate so that specific users can
access thier site to order checks. The certificates are
installed through Internet Explorer and then we are asked
to export the certificate as a PFX file which has the
user's password. The reason for this is so that if the
machine breaks, or the user moves to another workstation,
we can re-import the certificate and all is well.

Now, if a user accesses several workstations on the
domain, you guessed it, I have to go to each workstation
and import the certificate. Also, when we upgrade our
machines, we must do the same, or when the certificate
expires, or when the user rights are changed and a new
certificate is issued.

What I am interested in doing is pushing the PFX (not a
CER) certificate on a per user basis, so that no matter
where they sign in or what branch they go to, the
certificate is installed and ready for use. An added
bonus would be the ability to revoke the certificate when
a user leaves the organization.

This is what I have looked into:
This link was referenced

http://www.microsoft.com/windows2000/techinfo/planning/sec
urity/mappingcerts.asp

From the Chat area, I had already looked at a similar
doc, and learned that the Exported PFX could not be
imported on the Name Mappings for the User in Active
Directory.

Any ideas how I can accomplish this, it would certainly
same me a lot of time...!

Jeff Smyrski

 

[Ivan Sheng]

Hi Jeff,

According to my research, so far there is no such official document.
Personally I think it is difficult to realize since there is no
safe/feasible mothod to distinguish the user identity in other company
domain.

Ivan Sheng
Microsoft Online Partner Support
MCSD,MCSE4,2000,MCDBA,CCNA,ASE
Get Secure! ¨C www.microsoft.com/security

This posting is provided ¡°as is¡± with no warranties and confers no rights.




--------------------
| Content-Class: urn:content-classes:message
| From: "Jeff" <[email protected]>
| Sender: "Jeff" <[email protected]>
| Subject: Pushing a PFX Certificate to Users
| Date: Fri, 19 Sep 2003 08:24:37 -0700
| Lines: 44
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcN+wiMFeFJEBtrzTAKvbbiRAJA1Bg==
| Newsgroups: microsoft.public.win2000.group_policy
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:13894
| NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| I am interested in using a GP or script to push an
| Internet Explorer (exported) PFX Certificate that is
| issued by web sites outside of the domain.
|
| As a bank we use several web enabled companys for
| performing tasks, such as ordering checks from Deluxe.
|
| Deluxe issues a Certificate so that specific users can
| access thier site to order checks. The certificates are
| installed through Internet Explorer and then we are asked
| to export the certificate as a PFX file which has the
| user's password. The reason for this is so that if the
| machine breaks, or the user moves to another workstation,
| we can re-import the certificate and all is well.
|
| Now, if a user accesses several workstations on the
| domain, you guessed it, I have to go to each workstation
| and import the certificate. Also, when we upgrade our
| machines, we must do the same, or when the certificate
| expires, or when the user rights are changed and a new
| certificate is issued.
|
| What I am interested in doing is pushing the PFX (not a
| CER) certificate on a per user basis, so that no matter
| where they sign in or what branch they go to, the
| certificate is installed and ready for use. An added
| bonus would be the ability to revoke the certificate when
| a user leaves the organization.
|
| This is what I have looked into:
| This link was referenced
|
| http://www.microsoft.com/windows2000/techinfo/planning/sec
| urity/mappingcerts.asp
|
| From the Chat area, I had already looked at a similar
| doc, and learned that the Exported PFX could not be
| imported on the Name Mappings for the User in Active
| Directory.
|
| Any ideas how I can accomplish this, it would certainly
| same me a lot of time...!
|
| Jeff Smyrski
|

 

[Eric Chamberlain]

If you can't map the certificate to the user in the user object, you would
need to use something like roaming profiles to move the user's certificate
store from machine to machine. Another option would be storing the
certificate on a smart card or token.

 

[Jeff]

Please refer to the following link before expressing
presonal feelings about such matters.

http://www.microsoft.com/windows2000/techinfo/planning/sec
urity/mappingcerts.asp

As far as safe, this method would in theory provide a
safer means to distribute the certificate and revoke the
certificate from a central control standpoint. When a
user is defined and trusted in the Active Directory, I
would be controlling the availablity of the certificate,
the user would then be able to select the certificate
from their personal certificates that were installed on
the specific machine.

In essance the website they are connecting to, is simply
looking for the presence of a PFX certificate that the
user signed in, would select.

-----Original Message-----
Hi Jeff,

According to my research, so far there is no such official document.
Personally I think it is difficult to realize since there is no
safe/feasible mothod to distinguish the user identity in other company
domain.

Ivan Sheng
Microsoft Online Partner Support
MCSD,MCSE4,2000,MCDBA,CCNA,ASE
Get Secure! ¨C www.microsoft.com/security

This posting is provided ¡°as is¡± with no warranties and confers no rights.




--------------------
| Content-Class: urn:content-classes:message
| From: "Jeff" <[email protected]>
| Sender: "Jeff" <[email protected]>
| Subject: Pushing a PFX Certificate to Users
| Date: Fri, 19 Sep 2003 08:24:37 -0700
| Lines: 44
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcN+wiMFeFJEBtrzTAKvbbiRAJA1Bg==
| Newsgroups: microsoft.public.win2000.group_policy
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:13894
| NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| I am interested in using a GP or script to push an
| Internet Explorer (exported) PFX Certificate that is
| issued by web sites outside of the domain.
|
| As a bank we use several web enabled companys for
| performing tasks, such as ordering checks from Deluxe.
|
| Deluxe issues a Certificate so that specific users can
| access thier site to order checks. The certificates are
| installed through Internet Explorer and then we are asked
| to export the certificate as a PFX file which has the
| user's password. The reason for this is so that if the
| machine breaks, or the user moves to another workstation,
| we can re-import the certificate and all is well.
|
| Now, if a user accesses several workstations on the
| domain, you guessed it, I have to go to each workstation
| and import the certificate. Also, when we upgrade our
| machines, we must do the same, or when the certificate
| expires, or when the user rights are changed and a new
| certificate is issued.
|
| What I am interested in doing is pushing the PFX (not

a