All about car tuning

Automatic installation of certificates in the Trusted Root Certification Authorities store. Installing trusted (root) certificates on a computer How to place a certificate in trusted

To install certificates, you need to connect a USB flash drive with an electronic signature, open it and install the certificates

1. Install the certificate of the head certification authority into the trusted root authorities, for this you need to:

1.1. Double-click on the certificate of the head CA - the file “Head Certification Authority.cer”.

1.2. In the form that opens, click the “Install certificate...” button.

1.3. Select “Place all certificates in the following store” (check the box before the inscription) and click the “Browse” button.


1.4. In the list that opens, select “Trusted root centers certification" and click the "OK" button.

2. Install a personal certificate

Installing a personal certificate is done using the program CryptoPro CSP
2.1. You need to launch the CryptoPro CSP program (Start button -> CryptoPro CSP or Start button -> All programs -> CRYPTO-PRO -> CryptoPro CSP).

2.2. In the window that opens, select the “Service” tab and click the “Install personal certificate...” button.

2.3. In the window that opens, you need to click the “Browse” button, select the organization’s certificate on the flash drive - the 2nd file with the extension “cer” (not the CA certificate file (in the example - “adicom.cer”)) and click “Next”.




2.4. In the form that opens, click “Next”


2.5. In the form that opens, click the “Find container automatically” checkbox. As a result, the “Name of the key container” will be filled in and click “Next”


2.6. In the form that opens, click “Next”


2.7. In the form that opens, click “Finish”


Everything necessary for generating electronic signature Software – you can sign printed forms.

3. Install the extension (add-on) CryptoPro Extension for Cades Browser Plug-in in the browser

To install the browser extension (add-on) CryptoPro Extension for Cades Browser Plugin, open the extension store in your browser and search for extensions using the word Cades / For Yandex.Browser link -

Installing self-signed certificates is a very common task for a system administrator. Usually this is done manually, but what if there are dozens of machines? And what to do when reinstalling the system or buying a new PC, because there may be more than one certificate. Write cheat sheets? Why, when there is a much simpler and convenient way- ActiveDirectory group policies. Once you configure the policy, you no longer have to worry about whether users have the necessary certificates.

Today we'll look at certificate distribution using the example of a Zimbra root certificate that we exported to . Our task will be as follows - to automatically distribute the certificate to all computers included in the unit (OU) - Office. This will allow you to avoid installing the certificate where it is not needed: in the north, warehouse and cash workstations, etc.

Let's open the snap-in and create a new policy in the container Group Policy Objects, to do this, right-click on the container and select Create. The policy allows you to install one or several certificates at the same time. What to do is up to you, but we prefer to create our own policy for each certificate, this allows us to change the rules for their use more flexibly. You should also give the policy a clear name so that when you open the console six months later, you don’t have to painfully remember what it is for.

Then drag the policy onto the container Office, which will allow it to be applied to this unit.

Now let's right-click on the policy and select Change. In the Group Policy Editor that opens, we sequentially expand Computer configuration - Windows Configuration - Security Settings - Public key policies- . In the right part of the window, in the menu with the right mouse button, select Import and import the certificate.

The policy has been created, now is the time to check that it is being applied correctly. In the snap Group Policy Management let's choose Group Policy Simulation and run it by right click Simulation Wizard.

Most of the settings can be left as default, the only thing you need to specify is the user and computer for which you want to check the policy.

After performing the simulation, we can verify that the policy is successfully applied to the specified computer, in otherwise expand the item Rejected objects and look at the reason why the policy turned out to be inapplicable to to this user or computer.

Then we will check the operation of the policy on the client PC; to do this, we will update the policies manually with the command:

Gpupdate

Now let's open the certificate store. The easiest way to do this is through Internet Explorer: Internet Options -Content -Certificates. Our certificate must be present in the container Trusted Root Certification Authorities.

As you can see, everything works and the administrator has one less headache, the certificate will be automatically distributed to all computers placed in the department Office. If necessary, you can set more complex conditions for applying the policy, but this is beyond the scope of this article.

When checking an Electronic Signature (EDS), your computer must not only determine the validity period of your EDS, but also understand who issued the Electronic Signature. In every EDS certificate indicated by which Certification Authority (CA) the signature was issued. After the system has “read” the EDS manufacturer, you need to obtain information about this manufacturer itself. To do this, a root certificate is installed on the user's computer.

If the root certificate of a Certification Authority is installed on the user’s computer, then all certificates issued by this CA are considered valid (provided that their validity period has not yet expired).

Taking into account all of the above, we come to the conclusion that in order for an electronic signature certificate to be perceived by the system as “valid”, it is necessary to install root certificates The Certification Authority that issued the digital signature.

Let's start installing the root certificate:

Before installing the root certificate, download it from the website of the certification authority that issued you the digital signature or from our website in the section: .

1. Double-click on the saved certificate or right-click and select the item as shown in the figure.

2. In the window that appears, click the “Next” button.

3. In the next window, select “Place all certificates in the following store” and click on the “Browse...” button.

4. In the pop-up window, select "Trusted Root Certification Authorities" and click "OK".

5. The pop-up window will close and you should have it as shown in the picture. If the information in the “Certificate Storage” field does not appear, return to steps 3, 4 and repeat these steps again. If everything is displayed as shown in the figure, click “Next”.


6. When finished, click "Done".

7. After closing the Certificate Import Wizard window, the system may issue a warning about installing certificates on your computer. This message may appear several times. Press the "YES" button each time.


8. If the previous message does not appear, click “OK” in the next window as shown in the figure.

Let's cheer up! Now the root certificate of the Certification Authority has been successfully installed!

Once a friend (Seryoga from antelecs.ru) approached me with the question of whether it was possible to somehow speed up/automate the routine process of adding several certificates to the repository of trusted root certification authorities. The problem seemed interesting to me and relevant to the theme of the site, so I decided to publish the solution here. I suggest downloading free software from Cybersoft!

Of course, I could mess around with GPO or something else labor-administrative, but for some reason my first thought was to use available tools in the form of a RAR archiver and its function for creating self-extracting (SFX) archives.

Automatic installation of certificates

We will need the certmgr.exe utility from the Windows SDK. Information on how to use it is on this page.

In the context menu, when selecting all files, select the “Add to archive...” command.


Specify archive parameters. Here you can specify an arbitrary name for the output executable file, and you must also check the “Create SFX archive” checkbox.


On the “Advanced” tab, click the “SFX Options...” button.


On the “General” tab, specify the path for unpacking - you can specify the current folder or its subdirectory.

The most interesting thing: on the “Installation” tab we indicate which commands to run after extracting the files. The current directory will be the one where the files are unpacked. The command to install the certificate in the store looks like this:

certmgr.exe -add -c "Filename.cer" -s -l localMachine root

where localMachine means the installation for the computer, and root is the name of the Trusted Root Certification Authorities store.

For ease of use, you can hide all dialog boxes (otherwise a dialog box for selecting a directory for unpacking, etc. will be displayed).

The Comments tab displays all actions performed during unpacking. In principle, you can enter text here manually and the same thing will happen.


Video on the topic

To better understand the process, I recorded a short video!