Installing self-signed certificates A very common task for the system administrator. Usually it is done manually, but if there are no cars for a dozen cars? And how to be when reinstalling the system or buy a new PC, because the certificate may not be alone. Write crib recreation? Why, when there is a much simpler and convenient way - ActiveDirectory Group Policies. Once configuring policies, you can no longer worry about the availability of users of the necessary certificates.
Today we will look at the distribution of certificates on the example of the root certificate Zimbra, which we exported to. Our task will be as follows - automatically distribute the certificate for all computers included in the unit (OU) - Office.. This will allow not to establish a certificate where it is not needed: on the north, warehouse and cash desktops, etc.
Open the snap and create a new policy in the container Group Policy objectsTo do this, click on the Container with the right button and select Create. The policy allows you to install both one and several certificates at the same time, how to do - solve you, we prefer to create our policy for each certificate, it allows you to more flexibly change the rules of their application. You should also ask a policy of a clear name in order to open the console in six months you have not had to be painfully remembered for what it is needed.
After that drag policies to the container Office.that will apply it to this unit.
Now click on the policy with the right mouse button and choose Change. In the group policies opened, we consistently unfold Computer configuration - Windows configuration - Security parameters - Open key policies -. On the right side of the window in the Right-click menu, select Import And import a certificate.
The policy is created, now the time to check the correctness of its application. In snap Group Policy Management Choose Group Policy modeling and start right-click Master modeling.
Most parameters can be left by default, the only thing to specify is a user and computer for which you want to check the policy.
By simulating, we can make sure that the policy is successfully applied to the specified computer, otherwise we disclose the item Rejected objects And we look at the reason why politics turned out to be inapplicable to this user or computer.
After that, check the work of the policy on the client PC, for this I will update policies by hand with the team:
Gpupdate.
Now open the certificate store. The easiest way to do it through Internet Explorer.: Properties of the Observer - Content - Certificates. Our certificate must be present in the container Trusted root certification centers.
As you can see - everything works and one headache at the administrator has become less, the certificate will automatically spread to all computers placed in the division Office.. If necessary, you can set more complex conditions for the application of policies, but it is already beyond the scope of this article.
With the problem of the impossibility of correct deployment due to the fact that on target computers with OC Windows, the repository of certificates of trusted root centers of certification is not updated (hereinafter, we will call this trustedrootca storage). At that time, the question was removed by deploying the package rootsupd.exe.affordable KB931125.requested to OS Windows XP.. Now, this OS is completely removed from Microsoft support, and maybe therefore this KB article is more not available on the Microsoft website. To all this, you can add something that even at that time the decision with the deployment of the already obsolete certificate package was not the most optimal, since then there were systems with OS Windows Vista. and Windows 7.which already attended a new mechanism for automatic updating the trustedrootca certificate storage. Here is one of the old articles about Windows Vista, describing some aspects of such a mechanism -Certificate Support and ReSulting Internet Communication in Windows Vista . Recently, I again encountered the original problem of the need to update the trustedrootca certificate storage at a certain mass of Windows client computers and servers. All these computers do not have direct access to the Internet and therefore the mechanism of automatic updating certificates does not fulfill its task as I would like. Option with the opening of all computers of direct Internet access, let it even at certain addresses, was originally considered as extreme, and the search for a more acceptable solution led me to the articleConfigure Trusted Roots and Disallowed Certificates (RU ), which immediately gave answers to all my questions. Well, in general, based on this article, this note I will summarize on a specific example, how can I centrally reconnect on Windows Vista computers and above this most auto-updating of Trustedrootca certificate storage to be used as a source Updates File resource or website in a local corporate network.To begin with, what to pay attention to is that in group policies applied to computers, the parameter blocking the operation of the auto-update mechanism should not be involved. This is a parameter Turn Off Automatic Root Certificates Update In chapter Computer Configuration. > Administrative Templates. > System. > Internet Communication Management. > Internet Communication Settings. We need this parameter to be Switched offor easy Not configured.
If you look at the trustedrootca certificate store in the section Local computer, on systems that do not have direct Internet access, the certificate set will be right so say small:
This file is convenient to use, for example, when from the entire subset of the available certificates, you only need to select only some set and unload them to a separate SST file for further download, for example, using the Local Certificate Management Console or using the Group Policy Management Console (for imports to which either a domain policy through the parameter Computer Configuration. > Policies. > Windows Settings > Security Settings > Public Key Policies. > Trusted Root Certification Authorities).
However, for the propagation of root certificates you are interested in, using the modification of the operation of the auto-update mechanism on the final client computers, we need a slightly different representation of a plurality of topical root certificates. You can get it using the same utility Certutil.But with another set of keys.
In our example, a shared network folder on the file server will be used as a local distribution source. And here it is important to draw attention to the fact that when preparing such a folder, it is necessary to limit access to record so that it does not work so that anyone can modify the set of root certificates, which will then be "spilled" by many computers.
Certutil. -SyncWithwu -f -f. \\\\ File-Server \\ Share \\ rootcaupd \\ GPO-Deployment \\Keys -F -f is used for the forced update of all files in the destination directory.
As a result of the execution of the command in the network folder specified by us, a variety of files will appear with a total volume in the megabyte floor:
According to the previously mentioned
articles , destination files as follows:- File authrootstl.cab. contains third-party certificate confidence lists;
- File disallowedcertstl.cab. contains a list of confidence certificates with incredulous certificates;
- File disallowedcert.sst. contains a repository of serialized certificates, including untruth certificates;
- Files with type names thumbprint.crt. Contain third-party root certificates.
So, the files necessary for the operation of the auto-update mechanism are obtained, and we now go to the implementation of the change in the scheme of the work of this very mechanism. For this, as always, domain group politicians come to help us Active Directory. (GPO.) Although you can use other centralized management tools, all that we need to do on all computers is to change, or rather add, just one registry parameter Rootdirrl. in a branch HKLM \\ Software \\ Microsoft \\ SystemCertificates \\ AUTHROOT \\ AutoupDatewhich will determine the path to our network directory in which we previously posted a set of root certificate files.
Speaking about setting up GPO, to implement the task, again, you can use different options. For example, there is an "Old-Scale" option with the creation of a group policy template, as it is described in the already familiar to us
article . To do this, create a file in the format of the GPO administrative template ( Adm.), for example, named rootcupdatelocalpath.adm and content: Class Machine Category !! SystemCertificates Keyname " Software \\ Microsoft \\ SystemCertificates \\ AUTHROOT \\ AutoupDate"POLICY !! RootDirURL EXPLAIN !! RootDirURL_help PART !! RootDirURL EDITTEXT VALUENAME" RootDirURL "END PART END POLICY END CATEGORY RootDirURL \u003d" URL address to be used instead of default ctldl.windowsupdate.com "RootDirURL_help \u003d" Enter a FILE or HTTP URL to use as the download location of the ctl files. "SystemCertificates \u003d" Windows AutoPDate Settings "Copy this file to the domain controller in the% Systemroot% \\ INF directory (as a rule, this is C: \\ Windows \\ INF directory). After that, we turn to the editor of the domain group policies and create a separate new policy, opening it on editing. In chapter Computer Configuration. > Administrative Templates ... Open the context menu and select the connection of the new policy template. Add / Remove Templates
In the window that opens, using the Review button, select the previously added file. % Systemroot% \\ inf \\ rootcupdatelocalpath.adm, and after the template appears in the list, click Close..
After the acting acting in the section Configuration. > Administrative Templates. > Classic Administrative Templates. (Adm.) Group will appear Windows Autoupdate Settingsin which the only parameter will be available URL Address to Be Used Instad of Default Ctldl.WindowsUpdate.com
We will open this parameter and enter the path to the local resource on which we have placed the previously downloaded update files, in HTTP: // Server1 / Folder or File: /// \\\\ Server1 \\ folder format,
eg file: // \\\\ File-Server \\ Share \\ rootcaupd \\ gpo-deployment
We save the changes done and apply the created policy to the domain container, in which the target computers are located. However, the considered method of setup GPO has a number of shortcomings and that is why I called it "Old-Sculnia."
Another, more modern and more advanced customer registry configuration method is to use Group Policy Preferences. (GPP.). With this option, we can create an appropriate GPP object in the Group Policy section Computer Configuration. > Preferences. > Registry With the update of the parameter ( Action.: Update.) Registry Rootdirrl. (Type of value Reg_sz.)
If necessary, we can enable a flexible aiming mechanism for the created GPP parameter (bookmark COMMON. \u003e Option Item-Level Targeting) To a specific computer or group of computers for pre-testing that we end up with the first-end group policies.
Of course, you need to choose some one option or with the connection of your own Adm.-sblon or using GPP..
After setting up group policies on any experimental client computer, you will execute the command update gPUPDATE / FORCE Subsequent reboot. After loading the system, check the presence of a created key in the registry and try to check for updating the root certificate repository. To check, we use a simple but effective example described in a notch
Trusted Roots and Disallowed Certificates .For example, let's see if there is a root certificate in the computer certificate repository, used to issue a certificate, which is installed on the site named BUYPASS.NO (but do not go to the site itself :)).
Make this most convenient with the help of funds PowerShell:
Get-Childitem Cert: \\ Localmachine \\ root | Where ($ _ .friendlyName -Like "* buypass *")With a large probability, we will not have such a root certificate. If so, I will open Internet Explorer. and refer to the URLhttps://buypass.no. . And if the mechanism configured by us automatically update root certificates is successful, then in the Windows Event Log Application With this will appear the event with the source ( Source.) CAPI2.indicating the successful download of the new root certificate:
Journal name: ApplicationSomehow came to me a friend (Seryoga with Antelecs.ru) with a question whether it is possible to speed up / automate the routine process for adding multiple certificates to repository of trusted root certification centers. The task seemed to me interesting and suitable on the subject of the site, so the decision I took to publish here. Free software I suggest downloading Cybersoft!
Of course, it would be possible to freeze with GPO or something else-admin, but for some reason I have been the first thought to use the remedies in the form of the RAR-archiver and its functions of creating self-extracting (SFX) archives.
We make auto installation certificates
We will need a CERTMGR.EXE utility from a Windows SDK set. Information on how to use it - is on this page.
In the context menu, when you select all files, select the "Add to Archive ..." command.
Indicate archive parameters. Here you can set an arbitrary name of the output executable file, and it is also necessary to mark the "Create SFX archive" item.
On the Advanced tab, click the "SFX ..." parameters button.
On the General tab, specify the path for unpacking - you can specify the current folder or subdirectory it.
Most interesting: on the "Setup" tab, specify which commands to perform after the file extraction. The current catalog will be the one where the files are unpacked. The command to install the certificate in the storage looks like this:
certmgr.exe -add -c "file name.cer" -s -l Localmachine root
where Localmachine means an installation for a computer, and root is the name of the repository of trusted root certification centers.
For ease of use, you can hide all dialog boxes (otherwise a directory selection dialog box will be displayed for unpacking, etc.).
On the Comments tab, all actions performed during unpacking are displayed. In principle, you can enter the text manually and execute the same.
Video on the topic
For a better understanding of the process, I recorded a small video!
- "Other users" - the repository of certificates of control of the authorities;
- "Trusted Certification Root Centers" and "Interim Certification Centers" - Certification Center Certificate Warehouse.
Installing personal certificates is made only using the Crypt Pro program.
To start the console, you must perform the following steps.
1. Select the "Start"\u003e "Run" menu (or on the keyboard at the same time press the "Win + R" keys).
2. Specify the MMC command and click on the "OK" button.
3. Select the "File"\u003e "Add or Remove Equipment" menu.
4. Select from the list to snap "Certificates" and click on the Add button.
5. In the window that opens, set the "My user account" switch and click on the "Finish" button.
6. Select from the list on the right added tooling and click on the "OK" button.
Installing certificates
1. Open the required repository (for example, trusted root certification centers). To do this, reveal the "Certificates - current information"\u003e "Trusted root centers of certification"\u003e "Certificates".
2. Select the "Action" menu\u003e "All tasks"\u003e "Import".
4. Next, click on the "Overview" button and specify the certificate file for imports (root certificates of the certificate center can be downloaded from the Certification Center website, the certificates of controlling authorities are located on the website of the circuit system. Experience). After selecting a certificate, you must click on the "Open" button, and then by the "Next" button.
5. In the next window, you must click on the "Next" button (the desired storage is automatically selected).
6. Press the "Finish" button to complete the import.
Delete certificates
To remove certificates using the MMC console (for example, from the storage of other users), you must do the following:
Open the branch "Certificates - the current user"\u003e "Other users"\u003e "Certificates". On the right side of the window, all certificates installed in the "Other Users" repository will be displayed. Select the required certificate, right-click on it and select "Delete".
To install certificates, you must connect a USB flash drive with EP, open it and install certificates.
1. To establish the Certificate Certificatory Center certificate to trusted root centers, for this you need:
1.1. Double mouse click on the Certificate of the Head Uz - the "Head Certifying Center.CER" file.
1.2. In the form that opens, you must click the "Install Certificate ..." button. 
1.3. Select "Place all certificates in the following storage" (set the mark before the inscription) and click the "Overview" button. 
1.4. In the list that opens, you must select "trusted root centers of certification" and click the "OK" button. 
2. Install a personal certificate
Installing a personal certificate is performed using the CSP cryptopro program
2.1. You need to run the CSP cryptopro program ("Start" button -\u003e CRPTOPRO CSP or Start button -\u003e All Programs -\u003e Crypto-Pro -\u003e Cryptopro CSP). 
2.2. In the window that opens, you must select the "Service" tab and click the "Install Personal Certificate ..." button. 
2.3. In the window that opens, click the "Overview" button, select the organization certificate on the flash drive - the 2nd file with the extension "CER" (not a UC certificate file (in the example - "ADICOM.CER")) and click "Next". 
2.4. In the form that opens, you must click "Next" 
2.5. In the form that opens, you must click on the "Find Container automatically". As a result, the "key container name" will be filled and click "Next" 
2.6. In the form that opens, you must click "Next" 
2.7. In the form that opens, you must click "Ready" 
On the local user of the user, everything you need to generate an electronic signature can be signed by printed forms.
3. Install Cryptopro Extension for Cades Browser Plug-in in the browser
To install a browser extension (additions) Cryptopro Extension for Cades Browser Plugin Open the Stirling Store in your browser and search for CADES Following Extensions / For Yandex.Browser Link -