Deploying certificates to workgroup computers
You can still use your certificates from your internal certificate authority on workgroup computers. When clients are on the domain, we use autoenrolment to make sure our clients get the correct certificate.
While not as intuitive and simple as deploying certificates on the domain, however, we can use a script to first generate the certificate request. The next code does just that. First of all, we need to define the client name; this should be entered to make sure the certificate request is correct.
The next section of code generates the certificate request as well as saying what the template is. The certificate will generate a new certificate and then export the created certificate. Lines that require editing have been highlighted; this script should be executed as an administrator:
set subjectname=client.fqdn.co.uk echo Generating INF file for certificate echo ;—————CertificateRequestTemplate.inf————– >> %subjectname%.inf echo [NewRequest] >> %subjectname%.inf echo Subject="cn=%subjectname%" >> %subjectname%.inf echo Exportable=TRUE >> %subjectname%.inf echo KeyLength=2048 >> %subjectname%.inf echo KeySpec=1 ;key exchange >> %subjectname%.inf echo KeyUsage=0xA0 >> %subjectname%.inf echo MachineKeySet=TRUE >> %subjectname%.inf echo [RequestAttributes] >> %subjectname%.inf echo CertificateTemplate="ConfigMgrClientCertificate" ; this is for Client Authentication >> %subjectname%.inf echo SAN="DNS=%subjectname%" >> %subjectname%.inf echo Generating certificate request CertReq -New -f %subjectname%.inf %subjectname%.req echo Retrieving certificate CertReq -Submit -q -f -config <CAServerName.FQDN.CO.UK>\<CA-NAME-CA> %subjectname%.req %subjectname%.cer Echo Importing certificate certreq -accept %subjectname%.cer Echo Exporting certificate Certutil -f -p <password> –exportpfx %subjectname% .\certs\%subjectname%.pfx certutil -delstore "MY" %subjectname% del %subjectname%.req del %subjectname%.inf del %subjectname%.cer echo Completed!
To put this all together, we will need a copy of our root certificate. We will also need a copy of the client binary files. Putting them all on a USB stick is the best method as you can keep them all in one place and it makes it portable.
Our final bit of code will add the trusted root certificate to the trusted root certificate store; import our client certificate created in the preceding code. Then, finally execute the client installation. Lines that require editing have been highlighted; this script should be run as an administrator:
Echo Adding Trusted Root Certificate certutil -addstore -f "ROOT" "%~dp0MyTrustedRoot.cer" echo Import Client Certificate Certutil -p agoodpassword –importpfx "%~dp0certs\%computername%.pfx" echo Install ConfigMgr Client "%~dp0\client\ccmsetup.exe" /source:%~dp0certs\client /mp:myserver.fqdn.co.uk /usePKICert /NOCRLCheck SMSSITECODE=ZZZ CCMHOSTNAME=sccmserver.fqdn.co.uk Echo Finished
Tip
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
The folder structure for your USB drive is simple as well. Here is an example of how the layout should look:
Client: This is the folder that contains your client binary filesCerts: These are the PFX certificates for the computerGenerateCertificate.cmd: This is the first script shown in this sectionInstallClient.cmd: This is the second script shown in the preceding codeRootCert.cer: This is the root certificate from your CA