Import PFX Certificate via Group Policy Preferences

I have a vendor with a web-based service that requires a password encrypted .PFX certificate to be imported into the user’s Personal certificate store.

Group Policy

When I opened up Group Policy Management and navigated to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies, I found several certificate stores that I could import the .PFX file into. The Trusted Root Certification Authorities or Trusted Publishers stores would seem like good places to import this vendor certificate, but neither are the correct store that the vendor requires.

User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies also had a few stores I could target, but none contain the User’s Personal store. The correct store can be found via Internet Explorer -> Internet Options -> Content -> Certificates -> Personal. Unfortunately, Group Policy isn’t able to target this certificate store.


Since Group Policy and Group Policy Preferences didn’t offer a way to import a .PFX certificate into a user’s Personal certificate store, I turned to scripting the solution.
I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).
Next I created a .BAT script named import-certificate.bat which runs this command:

certutil -f -user -p “CertificatePassword” -importpfx “%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx” NoRoot

Then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

Set oShell = CreateObject (“Wscript.Shell”)
Dim strArgs
strArgs = “cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat”
oShell.Run strArgs, 0, false

Group Policy Preference Schedule Tasks

I then returned to Group Policy Management and navigated to User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks. I created a Scheduled Task that runs 30 seconds after the user logs in. The schedule task runs %LOGONSERVER%\netlogon\certificates\import-certificate-silently.bat.

The result is that when Citrix user who belongs to the security group in Active Directory logs into their virtual desktop, the required SSL Certificate is automatically installed in their User -> Personal certificate store.

Comments are closed.