+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Installing Security Certificates for Students in Technical; Other than Group Policy, is there a way that I can install a security certificate on a number of PCs ...
  1. #1
    gtg93's Avatar
    Join Date
    May 2010
    Posts
    350
    Thank Post
    220
    Thanked 45 Times in 37 Posts
    Rep Power
    17

    Question Installing Security Certificates for Students

    Other than Group Policy, is there a way that I can install a security certificate on a number of PCs so it is then valid for every user? I don't mind going round the computers individually...

    I have tried it with certmgr.exe with a batch file but when it's run by the student I get the error: Error: Failed to open the source store

    Even though the certificate is in the directory sepcified and the students have full access.

    Or if not, is there a physical directory I can copy the certificate into for it to be applied?

    Cheers in advance for any help

  2. #2
    box_l's Avatar
    Join Date
    May 2007
    Location
    Herefordshire
    Posts
    437
    Thank Post
    78
    Thanked 95 Times in 79 Posts
    Rep Power
    63
    Code:
    \\UNC-PATH\certmgr -add -c Certificate.cer -s -r localmachine root
    Is this your syntax?

    BoX

  3. Thanks to box_l from:

    gtg93 (22nd March 2011)

  4. #3
    gtg93's Avatar
    Join Date
    May 2010
    Posts
    350
    Thank Post
    220
    Thanked 45 Times in 37 Posts
    Rep Power
    17
    Yes that's the one... works fine for me but not for others as a bat file running on startup

  5. #4
    box_l's Avatar
    Join Date
    May 2007
    Location
    Herefordshire
    Posts
    437
    Thank Post
    78
    Thanked 95 Times in 79 Posts
    Rep Power
    63
    Do you mean a startup script?
    Maybe the cert store is not initialised that soon in the boot process?
    Try later as a logon script.

    When does it work fine for you, when you are logged on? Or at startup?

    BoX

  6. #5


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,469
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816
    I did this quite recently using Wix and created an MSI which installs a certificate. Example code shown below (and attached) if you want to give it a try. Just change the bits in red.

    Product.wxs
    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" 
    	 xmlns:iis="http://schemas.microsoft.com/wix/IIsExtension"
    	 xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
    	 
    	<?define ProductName = "Security Certificate" ?>
    	<?define ManufacturerName = "My School" ?>
      
      	<!-- Requires WiX v3.6.1321.0 or newer -->
      
    	  <Product Id="*" 
    			   Name="$(var.ProductName)" 
    			   Language="2057" 
    			   Version="1.0.0" 
    			   Manufacturer="$(var.ManufacturerName)" 
    			   UpgradeCode="01100111-0110-0101-0110-010101101011">
      
    		<Package InstallerVersion="300" 
    				 Platform="x86" 
    				 Compressed="yes" 
    				 InstallScope="perMachine" 
    				 InstallPrivileges="elevated" />
    
    		<MajorUpgrade DowngradeErrorMessage="A newer version of $(var.ProductName) is already installed. Setup will now exit." />
    
    		<!-- Launch Conditions -->
    		<Condition Message="You need to be an administrator to install this application.">
    			<![CDATA[Privileged]]>
    		</Condition>
    		<Condition Message="This application is not supported on your current operating system. The minimum is Windows XP.">
    			<![CDATA[Installed OR (VersionNT>=501)]]>
    		</Condition>
    
    		<Binary Id="RootCA" SourceFile=".\Source\SecurityCertificate.cer" />
    
    		<Directory Id="TARGETDIR" Name="SourceDir">
    			<Directory Id="ProgramFilesFolder" Name="ProgramFilesFolder">
    				<Directory Id="INSTALLDIR" Name="$(var.ProductName)">
    			 
    				  <Component Id="SecurityCertificate" Guid="BE88B813-9141-4453-9B5B-9BA59152E934" KeyPath="yes">
    					<iis:Certificate
    								  Id="Certificate.RootCA"
    								  Name="$(var.ProductName)"
    								  Request="no"
    								  StoreLocation="localMachine"
    								  StoreName="root"
    								  Overwrite="no"
    								  BinaryKey="RootCA" />
    				  </Component>
    				  
    				</Directory>
    			</Directory>
    		</Directory>
        
    		<Feature Id="Complete" 
    				 Title="$(var.ProductName)" 
    				 Description="The core files required to install the certificate." 
    				 Level="1" 
    				 ConfigurableDirectory="INSTALLDIR" 
    				 Absent="disallow" 
    				 AllowAdvertise="no" 
    				 Display="expand">
    				
    				 <ComponentRef Id="SecurityCertificate" />
    		</Feature>
    
    		<Media Id="1" />
    
    		<Property Id="LIMITUI" Value="1" />
    		<Property Id="MSIFASTINSTALL" Value="6" />
    		<Property Id="REBOOT" Value="ReallySuppress" />
    		<Property Id="ROOTDRIVE" Value="$(env.SystemDrive)\" />
    
    		<UI Id="MyUI">
    			<UIRef Id="WixUI_InstallDir" />
    			<UIRef Id="WixUI_ErrorProgressText" />
    		</UI>
    
      </Product>
    </Wix>
    CreateMSI.cmd
    Code:
    @echo off
    SET NAME=Security Certificate
    SET PATH=%PATH%;"%ProgramFiles%\Windows Installer XML v3.6\bin"
    
    echo // Compiling
    candle.exe -v -nologo -ext WixUtilExtension.dll -ext WixIISExtension.dll -fips -out .\ .\Source\*.wxs
    
    echo. & echo // Linking
    light.exe -nologo -out "%NAME%.msi" "*.wixobj" -cultures:en-US -ext WiXUtilExtension.dll -ext WixIISExtension.dll -ext WixUIExtension.dll -dcl:high
    
    :: Tidy up
    del /F /S /Q *.wixobj
    del /F /S /Q *.wixpdb
    Attached Files Attached Files

  7. Thanks to Arthur from:

    gtg93 (22nd March 2011)

  8. #6
    gtg93's Avatar
    Join Date
    May 2010
    Posts
    350
    Thank Post
    220
    Thanked 45 Times in 37 Posts
    Rep Power
    17
    Quote Originally Posted by box_l View Post
    Do you mean a startup script?
    Maybe the cert store is not initialised that soon in the boot process?
    Try later as a logon script.

    When does it work fine for you, when you are logged on? Or at startup?

    BoX
    Thanks for the reply and sorry for my late one,

    I'm running it as a log on script but the students get the error I mentioned above but it works fine for me (other scripts at logon usually work fine and they're able to install the certificate normally so why not a script to install it?)

    I did this quite recently using Wix and created an MSI which installs a certificate. Example code shown below (and attached) if you want to give it a try. Just change the bits in red.
    Thanks,
    I'll see what I can make of it

  9. #7
    gtg93's Avatar
    Join Date
    May 2010
    Posts
    350
    Thank Post
    220
    Thanked 45 Times in 37 Posts
    Rep Power
    17
    I've had a look at this and can't seem to get it working...
    I've installed Wix but am I right in saying Wix needs Visual Studio to work?

  10. #8


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,469
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816
    WiX will definitely work without Visual Studio. Probably the best thing to do would be to download and run Wix36.exe from here just to make sure you have the latest version of WiX installed. Next, download WixCertificate.7z from my post above and extract its contents to a folder on your HDD. You will need 7-Zip to do this if you don't already have it installed.

    In the 'Source' folder you will find two files...

    Product.wxs. Open this in Notepad (or your favourite text editor) and then change the bits I highlighted in red above. Save the file and then close it.

    SecurityCertificate.cer. This is just an example certificate and can be deleted or overwritten. If your certificate has a different filename make sure it matches the filename which is in the WXS file (under the Binary element with an Id of "RootCA").

    Finally, double-click _MakeMSI.cmd and after a few seconds you should have an MSI.

    If this doesn't work, let me know as I have something else you can try.

  11. Thanks to Arthur from:

    gtg93 (22nd March 2011)

  12. #9


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,469
    Thank Post
    245
    Thanked 2,834 Times in 2,093 Posts
    Rep Power
    816
    I have made a few changes to the WiX and batch files. New versions shown below and attached should you need them?

    Product.wxs
    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" 
         xmlns:iis="http://schemas.microsoft.com/wix/IIsExtension" 
         xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
    
      <?define ProductName       = "Security Certificate" ?>
      <?define ManufacturerName  = "My School" ?>
      <?define CertFileName      = "SecurityCertificate.cer" ?>
      
      <!-- Requires WiX v3.5.1315.0 or newer / Tested with: WiX v3.6.1518.0 -->
      
      <Product Id="*" Name="$(var.ProductName)" Language="2057" Version="1.0.0" Manufacturer="$(var.ManufacturerName)" UpgradeCode="01100011-0110-0101-0111-001001110100">
        <Package InstallerVersion="300" Platform="x86" Compressed="yes" InstallScope="perMachine" InstallPrivileges="elevated" />
        
        <MajorUpgrade DowngradeErrorMessage="A newer version of $(var.ProductName) is already installed. Setup will now exit." />
        
        <!-- Launch Conditions -->
        <Condition Message="You need to be an administrator to install this application."><![CDATA[Privileged]]></Condition>
        <Condition Message="This application is not supported on your current operating system. The minimum is Windows XP."><![CDATA[Installed OR (VersionNT>=501)]]></Condition>
        
        <Binary Id="RootCA" SourceFile=".\Source\$(var.CertFileName)" />
        
        <Directory Id="TARGETDIR" Name="SourceDir">
          <Directory Id="ProgramFilesFolder" Name="ProgramFilesFolder">
            <Directory Id="ManufacturerFolder" Name="$(var.ManufacturerName)">
              <Directory Id="INSTALLDIR" Name="$(var.ProductName)">
              
                <Component Id="SecurityCertificate" Guid="90EC4127-2733-4E66-8D9E-250D63C90D40" KeyPath="yes">
                  <iis:Certificate Id="Certificate.RootCA" 
                                   Name="$(var.ProductName)" 
                                   Request="no" 
                                   StoreLocation="localMachine" 
                                   StoreName="root" 
                                   Overwrite="no" 
                                   BinaryKey="RootCA" />
                </Component>
              </Directory>
            </Directory>
          </Directory>
        </Directory>
        
        <Feature Id="Complete" 
                 Title="$(var.ProductName)" 
                 Description="The core files required to install the certificate." 
                 Level="1" 
                 ConfigurableDirectory="INSTALLDIR" 
                 Absent="disallow" 
                 AllowAdvertise="no" 
                 Display="collapse">
                 
          <ComponentRef Id="SecurityCertificate" />
        </Feature>
        
        <Media Id="1" />
        
        <Property Id="LIMITUI" Value="1" />
        <Property Id="MSIFASTINSTALL" Value="6" />
        <Property Id="REBOOT" Value="ReallySuppress" />
        <Property Id="ROOTDRIVE" Value="$(env.SystemDrive)\" />
        
        <UI Id="MyUI">
          <UIRef Id="WixUI_InstallDir" />
          <UIRef Id="WixUI_ErrorProgressText" />
        </UI>
        
      </Product>
    </Wix>
    CreateMSI.cmd
    Code:
    @echo off
    SETLOCAL
    SET NAME=Security Certificate
    
    IF NOT EXIST "%WIX%" (
        echo.
        echo WiX is not installed and/or %%WIX%% system variable is not set.
        echo.
        echo The latest release can be downloaded from:
        echo http://wix.sourceforge.net/releases/
        echo.
        PAUSE
        exit /b 1
        ) ELSE (
        
          SET PATH=%PATH%;"%WIX%bin"
    
          echo.
          echo ------------------------------------------------------------------------------
          echo  Compiling...
          echo ------------------------------------------------------------------------------
          candle.exe -v -nologo -ext WixUtilExtension.dll -ext WixIISExtension.dll -fips -out .\ .\Source\*.wxs
    
          echo.
          echo ------------------------------------------------------------------------------
          echo  Linking...
          echo ------------------------------------------------------------------------------
          light.exe -nologo -out "%NAME%.msi" "*.wixobj" -cultures:en-US -ext WiXUtilExtension.dll -ext WixIISExtension.dll -ext WixUIExtension.dll -dcl:high
          if ERRORLEVEL 1 goto error
          
          :tidyup
          echo.
          echo ------------------------------------------------------------------------------
          echo  Tidying Up...
          echo ------------------------------------------------------------------------------
          del /F /S /Q *.wixobj >nul 2>&1
          del /F /S /Q *.wixpdb >nul 2>&1
          
          goto success
          
          :error
          color 4F
          echo.
          echo //////////////////////////////////////////////////////////////////////////////
          echo  Build failed!
          echo //////////////////////////////////////////////////////////////////////////////
          PAUSE>NUL
          exit /B 1
          
          :success
          echo.
          echo ------------------------------------------------------------------------------
          echo  MSI created successfully 
          echo ------------------------------------------------------------------------------
          echo.
          echo  You will find it here...
          echo.
          echo  "%~dp0%NAME%.msi"
          echo.
          PAUSE
    )
    
    ENDLOCAL
    Attached Files Attached Files

  13. #10
    gtg93's Avatar
    Join Date
    May 2010
    Posts
    350
    Thank Post
    220
    Thanked 45 Times in 37 Posts
    Rep Power
    17
    Thanks,

    that seems to have worked this time... Think is was a dodgy version of Wix I'd downloaded the first time around

  14. #11

    Join Date
    Jul 2013
    Location
    Ottawa
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi there Arthur,

    I just wanted to ask for your help about creating an MSI to install certificate. I saw your posting about how to create one, but my main question was not know how I can deploy 3 certificates at once.

    Thanks for your reply in advance.



SHARE:
+ Post New Thread

Similar Threads

  1. Certificates
    By KWestos in forum How do you do....it?
    Replies: 0
    Last Post: 4th November 2009, 02:18 PM
  2. Students bypassing Screen Lock in First Security Agent. How?
    By gill in forum How do you do....it?
    Replies: 9
    Last Post: 22nd October 2009, 12:44 PM
  3. Security box pop up after installing VNC
    By Kyle in forum Windows
    Replies: 1
    Last Post: 10th October 2008, 12:27 AM
  4. Students are installing IM apps to their home folder
    By bwallman in forum How do you do....it?
    Replies: 30
    Last Post: 20th December 2007, 06:31 PM
  5. Replies: 0
    Last Post: 15th August 2007, 12:18 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •