Disable install certificates on a desktop computer for users

Hi!

Below I put how to block that a user cannot install certificates on a desktop.

Regards!

In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:

Imagen

The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System

Imagen

There we add the following exe´s:

%SystemRoot%\system32\certutil.exe

%SystemRoot%\system32\CertEnrollCtrl.exe

%SystemRoot%\system32\certmgr.msc

%SystemRoot%\system32\certreq.exe

%SystemRoot%\system32\cryptext.dll

Imagen

And add a new user group denying permissions.

Imagen

When user will do double click will appear the following message.

Imagen

Regards

How to know if a CA is Enterprise or Standalone

Hi there!

I´m going to migrate a CA from windows 2003 (x86) to 2008 R2 and to know if the CA is Standalone or Enterprise I need to do one of the following:

  • typing the command: certutil -getreg ca\catype
  • Open CertSrv.msc console and locate Certificate Templates node. This node exist on Enterprise CAs only.
  • In Site and Services, Select Show Service node in the view pane. Go to Services, Public Key Services, Enrollment Services. If you view there the CA name like an object your CA is an Enterprise CA, if not is a StandAlone.

Regards!

Import pfx certificate with certutil through vbscript

After I have exported all certificates with private key I developed this script that import all pfx in the user´s personal store.

Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set shell = CreateObject(“WScript.Shell”)
Const ForAppending = 2
Dim objFSO:Set objFSO = CreateObject(“Scripting.FileSystemObject”)

objStartFolder = “C:\Temp”

Set objFolder = objFSO.GetFolder(objStartFolder)

Dim ext

ext = “”

Set colFiles = objFolder.Files
For Each objFile in colFiles
ext = Mid(objFile.Name, len(objFile.Name) – 3, len(objFile.Name))
if (ext=”.pfx”) then
shell.run “certutil.exe -user -p 12345678 -importpfx c:\temp\” & objFile.Name
end if

Next

Export pfx certificate with certutil through vbscript

These days I´m in a desktop migration project from XP to W7 and I need to export the user certificates of all 9.000 desktops…

For that I create a vbs than do it but by the other hand it can´t do all, the export to file of the serial number of all certificates is done with a batch script.

Here I put the vbs and the batch file.

VB Script

Dim shell

Set shell = CreateObject(“WScript.Shell”)

shell.Run “\\server\share\VolcadoCert.bat”

WScript.Sleep 10000

Const ForReading = 1
Dim strTemp
Dim CertID
Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objFile = objFSO.OpenTextFile(“\\private user folder\certs.txt”, ForReading)

Do Until objFile.AtEndOfStream
strSearchString = objFile.ReadLine
strTemp = Mid(strSearchString, 1, 15)

if (strTemp = “Serial Number: “) then

CertID = Mid(strSearchString, 15, len(strSearchString)-14)

shell.Run “certutil.exe -user -p 12345678 -exportpfx ” & CertID & “\\private user folder\certificat” & cstr(replace(replace(replace(now(), “/”, “”),”:”, “”),” “, “”)) & “.pfx”, 1, false

end if
Loop

objFile.Close

.bat

certutil -user -store “My” >> \\private user folder\certs.txt