Deploying certificates to workgroup computers

You can still use your certificates from your internal certificate authority on workgroup computers. When clients are on the domain, we use autoenrolment to make sure our clients get the correct certificate.

While not as intuitive and simple as deploying certificates on the domain, however, we can use a script to first generate the certificate request. The next code does just that. First of all, we need to define the client name; this should be entered to make sure the certificate request is correct.

The next section of code generates the certificate request as well as saying what the template is. The certificate will generate a new certificate and then export the created certificate. Lines that require editing have been highlighted; this script should be executed as an administrator:

set subjectname=client.fqdn.co.uk
echo Generating INF file for certificate
echo ;—————CertificateRequestTemplate.inf————– >> %subjectname%.inf
echo [NewRequest]                                                 >> %subjectname%.inf
echo Subject="cn=%subjectname%"                                   >> %subjectname%.inf
echo Exportable=TRUE                                              >> %subjectname%.inf
echo KeyLength=2048                                               >> %subjectname%.inf
echo KeySpec=1             ;key exchange                          >> %subjectname%.inf
echo KeyUsage=0xA0                                                >> %subjectname%.inf
echo MachineKeySet=TRUE                                           >> %subjectname%.inf
echo [RequestAttributes]                                          >> %subjectname%.inf
echo CertificateTemplate="ConfigMgrClientCertificate" ; this is for Client Authentication    >> %subjectname%.inf
echo SAN="DNS=%subjectname%"                             >> %subjectname%.inf

echo Generating certificate request
CertReq -New -f %subjectname%.inf %subjectname%.req
echo Retrieving certificate
CertReq -Submit -q -f -config <CAServerName.FQDN.CO.UK>\<CA-NAME-CA> %subjectname%.req %subjectname%.cer
Echo Importing certificate
certreq -accept %subjectname%.cer
Echo Exporting certificate
Certutil -f -p <password> –exportpfx %subjectname% .\certs\%subjectname%.pfx
certutil -delstore "MY" %subjectname%
del %subjectname%.req
del %subjectname%.inf
del %subjectname%.cer
echo Completed!

To put this all together, we will need a copy of our root certificate. We will also need a copy of the client binary files. Putting them all on a USB stick is the best method as you can keep them all in one place and it makes it portable.

Our final bit of code will add the trusted root certificate to the trusted root certificate store; import our client certificate created in the preceding code. Then, finally execute the client installation. Lines that require editing have been highlighted; this script should be run as an administrator:

Echo Adding Trusted Root Certificate
certutil -addstore -f "ROOT" "%~dp0MyTrustedRoot.cer"
echo Import Client Certificate
Certutil -p agoodpassword –importpfx "%~dp0certs\%computername%.pfx"
echo Install ConfigMgr Client
"%~dp0\client\ccmsetup.exe" /source:%~dp0certs\client /mp:myserver.fqdn.co.uk /usePKICert /NOCRLCheck SMSSITECODE=ZZZ CCMHOSTNAME=sccmserver.fqdn.co.uk
Echo Finished

Tip

Downloading the example code

You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.

The folder structure for your USB drive is simple as well. Here is an example of how the layout should look:

• Client: This is the folder that contains your client binary files
• Certs: These are the PFX certificates for the computer
• GenerateCertificate.cmd: This is the first script shown in this section
• InstallClient.cmd: This is the second script shown in the preceding code
• RootCert.cer: This is the root certificate from your CA