Distribute the certificate in the shortest possible time among Windows stations at any cost

At the start of the ’20 pandemic, the challenge arose to distribute the root certificate to home PCs as a large number of employees began to work from home.

Now the task has arrived to distribute the certificate Mintsifry.

Everything is clear in the domain, I added the certificate to the GPO policies and off we go. But what about local (home) Windows stations?

\\ Continuing the theme of PKI https://habr.com/ru/post/549252/

Distribute step-by-step instructions with pictures to add a certificate to local security policies among employees!!?

– this does not work! At least in pictures, even in text, adding a certificate to where you need it, as it turned out, is sometimes an impossible task even for a programmer!

The eternal question – “What to do with it ???”

In fact, everything was invented a long time ago, you just need to be able to use it.

Microsoft has a certificate manager tool that allows you to complete the task.

In details here

So, we have the tool Certmgr.exe, we can consider that the task is in your pocket!

– partly yes, but no! The tool must be run as an administrator with the required parameters. We return to point one instruction in pictures (

Decision

Well, let’s do everything smoothly and without question. Let’s write a small code (batch file) that will solve the problem.

@echo off
set dir=%~dp0
%dir:~0,2%
CD "%~dp0\CertSetup\"
md "%CD%\log\"
del /f /q "%cd%\log\*.*"
echo %cd%

CLS
Echo .
Echo "Внимание!!! - Приложение должно быть запущено от имени Администратора!"
Echo .
Echo .

REM download
REM download

REM Root
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\*"') do "%cd%\bin\certmgr.exe" -add -c "%CD%\CertCentre\ROOT\%%a" -s -r localMachine root 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\*"') do echo %%a >> "%cd%\log\CRTroot.log"

for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\CRL\*"') do "%cd%\bin\certmgr.exe" -add "%CD%\CertCentre\ROOT\CRL\%%a" -s -r localMachine root 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\CRL\*"') do echo %%a >> "%cd%\log\CRLroot.log"

for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\DelSHA1\*"') do "%cd%\bin\certmgr.exe" -del -c -sha1 "%%a" -s -r localMachine root 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\DelSHA1\*"') do echo %%a >> "%cd%\log\DELroot.log"

REM CA
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\CA\*"') do "%cd%\bin\certmgr.exe" -add -c "%CD%\CertCentre\CA\%%a" -s -r localMachine CA 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\CA\*"') do echo %%a >> "%cd%\log\CRTca.log"

for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\CA\CRL\*"') do "%cd%\bin\certmgr.exe" -add "%CD%\CertCentre\CA\CRL\%%a" -s -r localMachine CA 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\CA\CRL\*"') do echo %%a >> "%cd%\log\CRLca.log"

for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\CA\DelSHA1\*"') do "%cd%\bin\certmgr.exe" -del -c -sha1 "%%a" -s -r localMachine CA 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\CA\DelSHA1\*"') do echo %%a >> "%cd%\log\DELca.log"

REM Disallowed
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\Disallowed\*"') do "%cd%\bin\certmgr.exe" -add -c "%CD%\CertCentre\Disallowed\%%a" -s -r localMachine Disallowed 
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\Disallowed\*"') do echo %%a >> "%cd%\log\CRTDisallowed.log"

Rem ADMIN
openfiles
If %Errorlevel% == 1 Goto :notadmin

REM FindErrorRoot
for /f "delims=" %%a in ('dir /b /a-d "%CD%\CertCentre\ROOT\*"') do "%cd%\bin\certmgr.exe" "%CD%\CertCentre\ROOT\%%a" >> "%cd%\log\FindErrorROOT.log"
find "Failed" "%cd%\log\FindErrorROOT.log"
if "%ERRORLEVEL%" == "0" Goto :notsetup

CLS
mode con:cols=70 lines=70
Echo .
ECHO Установлены следующие сертификаты
if exist "%cd%\log\CRTroot.log" Echo -----------------------------------------------ROOT:
if exist "%cd%\log\CRTroot.log" TYPE "%cd%\log\CRTroot.log"
if exist "%cd%\log\CRTca.log" Echo -----------------------------------------------CA:
if exist "%cd%\log\CRTca.log" TYPE "%cd%\log\CRTca.log"
Echo .

ECHO Установлены списки отзывов
if exist "%cd%\log\CRLroot.log" Echo -----------------------------------------------ROOT:
if exist "%cd%\log\CRLroot.log" TYPE "%cd%\log\CRLroot.log"
if exist "%cd%\log\CRLca.log" Echo -----------------------------------------------CA:
if exist "%cd%\log\CRLca.log" TYPE "%cd%\log\CRLca.log"
Echo .

if exist "%cd%\log\CRTDisallowed.log" ECHO Отозваны следующие сертификаты:
if exist "%cd%\log\CRTDisallowed.log" Echo -----------------------------------------------
if exist "%cd%\log\CRTDisallowed.log" TYPE "%cd%\log\CRTDisallowed.log"
Echo .

Echo .
ECHO Удалены сертификаты с отпечатками SHA1:
if exist "%cd%\log\DELroot.log" Echo -----------------------------------------------ROOT:
if exist "%cd%\log\DELroot.log" TYPE "%cd%\log\DELroot.log"
if exist "%cd%\log\DELca.log" Echo -----------------------------------------------CA:
if exist "%cd%\log\DELca.log" TYPE "%cd%\log\DELca.log"
Echo .
Echo .
Echo                           -= All OK =-

ping 127.0.0.1 -n 20 > null
exit

:notsetup
CLS
Echo .
Echo "Внимание!!! - Приложение должно быть запущено от имени Администратора!"
Echo .
Echo -> Один или несколько, корневых сертификатов не установлены !!!
pause
exit

:notadmin
CLS
Echo .
Echo "Внимание!!! - Приложение должно быть запущено от имени Администратора!"
Echo .
pause
exit

Let’s figure out what this batch file does

The batch file goes through a number of directories and registers certificates located in these directories:

In more detail

\CertCentre\ROOT\

Here we will place our CER certificates (you can have several)

These certificates will be “Trusted Root Certification Authorities”.

For these certificates, the following function will be executed:

certmgr.exe -add -c "*cert" -s -r localMachine root

\CertCentre\ROOT\CRL\

CRL directory contains revocation lists (if needed)

Function: certmgr.exe -add "*crl" -s -r localMachine root

\CertCentre\ROOT\DelSHA1\

In this directory we can place

files with the thumbprint name of the certificate to revoke it

Function: certmgr.exe" -del -c -sha1 "****sha1" -s -r localMachine root

Where can I get a fingerprint?

\CertCentre\CA\

Everything is similar to ROOT, only certificates will fall into “Intermediate CAs”.

similar to ROOT \CertCentre\CA\CRL\ \CertCentre\CA\DelSHA1\

\CertCentre\Disallowed\

Everything is similar to ROOT, only certificates will fall into “Certificates not trusted”.

Downloading “fresh” certificates from the network

The code can be improved by adding to the section – “REM download” next code.

The code will make it possible to download updated versions of certificates from a controlled server. The downloaded archive must be in ZIP format and contain the \CertCentre\ directory structure to replace it with the one downloaded from the network.

Choice /D Y /T 30 /M "Загрузить последние цепочки сертификатов из сети Интернет?  ->"
If %Errorlevel% == 1 Goto Yes
If %Errorlevel% == 2 Goto No

:Yes
"%cd%\bin\Curl.exe" -O http://cert.sslkey.ru/CertCentre/PKI.zip
find "CertCentre" "%cd%\PKI.zip"
if "%ERRORLEVEL%" NEQ "0" del /f /q "%cd%\PKI.zip"
if exist "%cd%\PKI.zip" RENAME "%cd%\CertCentre\" "CertCentreOLD-%Date%"
if exist "%cd%\PKI.zip" "%cd%\bin\7z.exe" x "%cd%\PKI.zip" -y -o"%CD%\" -r
CLS
if not exist "%cd%\PKI.zip"  ECHO Не удалось загрузить последние цепочки сертификатов!
if not exist "%cd%\PKI.zip"  ping 127.0.0.1 > null
:No