locked
Client not automatically applying certificate to its local store RRS feed

  • Question

  • I have generated a certificate from my Enterprise CA and as a result the certificate is trusted by domain joined clients. To have non-domain joined clients trust the certificate I have to install it manually in the client's local store. Is there anyway to have non-domain joined clients trust the certificate, which is created by the Enterprise CA, and have the client automatically apply the certificate to its local store?

    I'm running OCS 2007 on Windows Server 2003, and the clients are a mix of XP & Vista. Input on this matter would be greatly appreciated. Thanks.

    -Dan
    Monday, February 4, 2008 6:10 PM

Answers

  • About the closest you'll get is giving your external clients and installation package that installs the certificate for them. The root  certificate is actually in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates. However, you'll see all of the root CA's listed there so it's difficult to identify yours. The certs are listed by thumbprint, so look at your root certificate to get the thumbprint and you should be able to identify the key with that cert. Now, export the certificate like any other registry entry and save it as a .reg file.

    At this point your clients can install the certificate by using a regedit /s exportregfile.reg command. That's not real handy for users so I'd hand off a .bat or .vbs that they can click on to install Communciator, Live Meeting, the Conferencing Add-In and the root certificate all at once.

    Something like this perhaps...

    Code Snippet

    @echo off

    :: -------------------------------------------------------------------
    :: Install Office Communicator
    :: -------------------------------------------------------------------
    start /wait msiexec /qb /i communicator.msi

    :: -------------------------------------------------------------------
    :: Install Live Meeting console
    :: -------------------------------------------------------------------
    start /wait msiexec /qb /i LMConsole.msi

    :: -------------------------------------------------------------------
    :: Install conferencing plugin if Office 2003 or 2007 is present
    :: -------------------------------------------------------------------
    IF EXIST "%programfiles%\Microsoft Office\Office12\outlook.exe" GOTO INSTALLPLUGIN
    IF EXIST "%programfiles%\Microsoft Office\Office11\outlook.exe" GOTO INSTALLPLUGIN

    :: -------------------------------------------------------------------
    :: Install certificate
    :: -------------------------------------------------------------------
    regedit /s cert.reg

    EXIT

    :: -------------------------------------------------------------------
    :: Subroutine to install conferencing plugin
    :: -------------------------------------------------------------------
    :INSTALLPLUGIN
    start /wait msiexec /qb /i LMAddinPack.msi




    I've been meaning to write a blog post regarding this, so I'll try to finish that up soon.
    Thursday, February 7, 2008 12:24 AM

All replies

  • The client machine has to trust the certificate.  As an alternative you can publish the /certsrv website and point the client there to install in the root cert, but one way or another it has to be on the machine.

    Monday, February 4, 2008 11:01 PM
    Moderator
  • I agree with Mike. the bottom line is, the client should have the root CA installed or imported on it.

     

     

    Ram K Ojha
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com

     

    Tuesday, February 5, 2008 3:04 AM
  •  

    You're right, the client machine has to trust the certificate - however, that only seems to be a problem, in my case, if the computer is NOT domain-joined. If the computer is domain-joined, the computer automatically accepts the certificate without any problems. So, that brings me back to my original question, is there a way to have clients automatically accept & apply the certificate whether or not they are domain-joined?

     

    -Dan

    Wednesday, February 6, 2008 6:01 PM
  • Domain joined machines pick up the Enterprise CA root automatically.  Non-domain joined machines do not, and there's not a way (at least not that I've ever been able to find) to make that happen.

    Wednesday, February 6, 2008 9:37 PM
    Moderator
  • About the closest you'll get is giving your external clients and installation package that installs the certificate for them. The root  certificate is actually in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates. However, you'll see all of the root CA's listed there so it's difficult to identify yours. The certs are listed by thumbprint, so look at your root certificate to get the thumbprint and you should be able to identify the key with that cert. Now, export the certificate like any other registry entry and save it as a .reg file.

    At this point your clients can install the certificate by using a regedit /s exportregfile.reg command. That's not real handy for users so I'd hand off a .bat or .vbs that they can click on to install Communciator, Live Meeting, the Conferencing Add-In and the root certificate all at once.

    Something like this perhaps...

    Code Snippet

    @echo off

    :: -------------------------------------------------------------------
    :: Install Office Communicator
    :: -------------------------------------------------------------------
    start /wait msiexec /qb /i communicator.msi

    :: -------------------------------------------------------------------
    :: Install Live Meeting console
    :: -------------------------------------------------------------------
    start /wait msiexec /qb /i LMConsole.msi

    :: -------------------------------------------------------------------
    :: Install conferencing plugin if Office 2003 or 2007 is present
    :: -------------------------------------------------------------------
    IF EXIST "%programfiles%\Microsoft Office\Office12\outlook.exe" GOTO INSTALLPLUGIN
    IF EXIST "%programfiles%\Microsoft Office\Office11\outlook.exe" GOTO INSTALLPLUGIN

    :: -------------------------------------------------------------------
    :: Install certificate
    :: -------------------------------------------------------------------
    regedit /s cert.reg

    EXIT

    :: -------------------------------------------------------------------
    :: Subroutine to install conferencing plugin
    :: -------------------------------------------------------------------
    :INSTALLPLUGIN
    start /wait msiexec /qb /i LMAddinPack.msi




    I've been meaning to write a blog post regarding this, so I'll try to finish that up soon.
    Thursday, February 7, 2008 12:24 AM