Share via

Trusted Publishers certificate store

Ramin Zamani 41 Reputation points
2021-04-15T21:33:18.16+00:00

Hello everyone,

In order to authenticate my users Cisco VPN connection based on a Self Signed certificate installed on their PCs, I have created a GPO with the certificate imported into the Trusted Publishers store and I can see it perfectly applies on all computers with no issues. The problem is that in order to authenticate my users against this certificate I need to scan their PCs registry key for the certificate, which does not exist when I install the certificate through GPO but if I install the certificate using certificate management console and import it manually, it generates the certificate registry key and then I am able to authenticate with no issues. Does anybody know why the GPO does not generate the needed registry key as the manual import does?
On the other note I tried using PS scripts to import the certificate which created the registry key but I am trying to avoid using scripts due to Execution Policy settings on our company computers.
Here is the registry key path:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Thanks,
Ramin

Windows for business | Windows Client for IT Pros | User experience | Other
Accepted answer
  1. Anonymous
    2021-04-27T02:19:40.843+00:00

    Hello @Ramin Zamani ,

    Thank you so much for your update.

    I only have time to test your problem in my test environment now.

    Then I got the same result as you.

    But I have new finding, the installed the certificate through GPO has changed the following registry instead of the one you provided.

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates

    Here is result in my lab.

    91517-reg1.png

    You can check on your machine.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-04-16T02:23:47.967+00:00

    Hello @Ramin Zamani ,

    Thank you for posting here.

    Based on the description above, I understand you have Self Signed certificate for your users Cisco VPN connection, and you want to install this certificate to all their store via GPO.

    1-But would you please tell me what the type of this certificate is? I mean whether this certifcaite is issued to a user certificate or this certificate is issued to a machine certificate?

    2-If it is a machine certificate, so you have configured gpo under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies ->Trusted Publishers, is it right?

    1.Create an OU and put the machines to this OU.
    2.Create a GPO and link this GPO to OU above.
    3.Edit GPO Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies ->Trusted Publishers
    4.Restart the machine in OU above to see certificate is installed in Trusted Publishers
    5.But the value of the registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates is not changed, is it right?

    3-Based on the description "but if I install the certificate using certificate management console and import it manually, it generates the certificate registry key and then I am able to authenticate with no issues.", do you import the certificate to Personal store or Trusted Publishers store under "Certificates - Local Computer" or Personal store or Trusted Publishers store under "Certificates -Current User"?

    88454-is1.png

    88461-is2.png

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Ramin Zamani 41 Reputation points
    2021-04-19T13:34:22.177+00:00

    Hello Daisy,

    Here are my answers:

    1- I have imported the certificate to Trusted Root Certificate Authorities and Trusted Publishers stores under Computer Configuration.
    2- Yes, it is correct. 2-5: It is correct.
    3- I import the certificate under "Certificates (Local Computer)" - "Trusted Publishers"

    Thanks,
    Ramin

    0 comments
  3. Ramin Zamani 41 Reputation points
    2021-04-21T00:20:53.01+00:00

    Anybody can help in this matter? I am stuck in this. I even tried to add the certificate by using a script but the commands in the script need to be ran as Administrator and so it does not affect the certificate store or registry. Any help is appreciated.
    Ramin

  4. Anonymous
    2021-04-23T09:53:36.37+00:00

    Hello @Ramin Zamani ,

    Thank you so much for your update.

    As far as I know, either we use user VPN certificate or we use computer VPN certificates.

    If we use user VPN certificate, we put cert in user store.
    90649-u1.png

    If we use computer VPN certificate, we put cert in machine store.
    90738-u2.png

    And for the existing cert, we need to export it to user/ machine store manually.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.