In any organization, Our users need certificates to access certain websites, whether for your own authentication or on behalf of your company. The most normal thing is that it is? install the certificate on the computer with the logged-in user, which is a manual process and that we have to take into account when a new person enters the organization, or when we have to renew a certificate, We have to do this process as many times as necessary. Well, we can use the directives of our Active Directory to assign certificates to users fully automatically.

What I said, in this document we will see how to automatically import a certificate to a user of our Active Directory, in your warehouse “Personnel” so you can use it while browsing with Internet Explorer (For example) and can access websites that require said certificate installed. We need the library first capicom.dll we can download it from AKI or the Microsoft website (you would have to install the MSI to get the DLL of %Program Files%Microsoft CAPICOM 2.1.0.2 SDKLibX86). We also need a script called CStore.vbs that we can download from AKI or from the previous link on the Microsoft website (In %Program Files%Microsoft CAPICOM 2.1.0.2 SDKSamplesvbs).

The process is simple, First we need to copy the capicom.dll library to %windir%system32 from the computers, then we recorded it (in silence) and finally we run the Visual Basic Script (You are going) to import the certificate indicating the password you have. We save all this in a .cmd file that will be the one that users will execute when they log in to their computers automatically, Fast and transparent. With which we manage to have the certificates we have in the organization under control!

We create a directory on a server where we will save all the files together, we will share it with access to all users with read-only access and assign the GPO to that .cmd.

Example of “Import User Certificate RRHH.cmd”

[SourceCode]copy \servercertificatescapicom.dll %windir%System32 /y
regsvr32 /s %windir%System32capicom.dll
cscript \servercertificatesCStore.vbs import “RUTA_UNC_DEL_CERTIFICADOCertificate.pfx” CONTRASEÑA_DEL_CERTIFICADO[/SourceCode]

We create a GPO and assign it to the Organizational Unit that we are interested in having this certificate, We will do this as many times as we are interested in with our certificates/departments. In “User Settings” > “Windows Settings” > “Script” >”Login”.

If we want to unregister the dll at the end of the process we can use: 'regsvr32 /u /s capicom.dll‘. If we want to delete a certificate (eye! if we have the private key, will remain) Execute: ‘cscript RUTACStore.vbs delete -delkey -noprompt -subject ASUNTO_DEL_CERTIFICADO‘.

If you prefer to download the necessary files, I'll leave them here: capicom.dll & CStore.vbs.