Add a bunch of self-signed certs to a Windows host
May 1, 2018 8:38 AM   Subscribe

Can a script be written to collect self-signed certificates from a lot of hosts (like 200+), and then add them all to a single Windows PC's web browser (probably IE)?

I have a workstation that needs to talk to a bunch of devices. These devices all have a self-signed certificate installed.

Can I write a script to connect to each device, grab their self-signed cert, and store it somewhere, and then dump all of the certificates into the workstation's trusted certificates list?

I apologize: I am a Unix sysadmin and I can only find advice for using GPOs to distribute a single cert to many client machines. I think I could do this in Bash,with the openssl command-line tools, but I am out of my depth with PowerShell.
posted by wenestvedt to Computers & Internet (7 answers total) 1 user marked this as a favorite
 
This is likely possible with some scripting. I'd start here for grabbing the certs: serverfault. Now, here's the hard part. It looks like using Windows PowerShell makes it possible to install certificates programmatically. But they have to be converted into something called a 'PfxCertificate' and I have no clue about the credentials required (it seems like installing a cert is something that should not be possible without user confirmation), my windows-fu stops around 2005 so *shrug*.

If it is at all possible to replace the certs on the devices with ones signed by a trusted CA that might be an easier option.
posted by dis_integration at 9:04 AM on May 1, 2018 [2 favorites]


I'm assuming this environment is a protected environment like PCI or something where you can't just point the machines at an already existing Active Directory controller and then use that as an internal CA?

(dealing with certificates is part of what I do for a living)

I highly recommend building an internal CA over trying to manage this long term. You will save yourself a lot of pain building out your own internal CA over trying to "fashion together" a "pseudo CA" made up of scripts and self-signed certs.
posted by Annika Cicada at 9:51 AM on May 1, 2018 [1 favorite]


Response by poster: Oh, we have our own internal-only CA, certainly: we're plenty big enough for that. :7)

Unfortunately these are devices where the manufacturer delivers each one with a self-signed cert that we can't (AFAIK) replace.But wait....if we add the manufacturer's root cert to the local store, would all those self-signed certs silently be accepted by the workstation?

I am just trying to save the workstation's user from manually adding exceptions for each of the 200+ devices' certificates because who needs that?
posted by wenestvedt at 9:58 AM on May 1, 2018 [2 favorites]


Response by poster: (And I am deliberately being vague because Security.)
posted by wenestvedt at 9:59 AM on May 1, 2018 [1 favorite]


Best answer: .if we add the manufacturer's root cert to the local store, would all those self-signed certs silently be accepted by the workstation?


I believe that would work yes.
posted by Annika Cicada at 10:20 AM on May 1, 2018 [2 favorites]


you could also look at cert re-chaining. (I work in security this is a way to do really disturbing things to break the CA model entirely) but certificate re-chaining would also help you do this in a more centralized way. (it's also kinda messy and I would only look at it as a last resort)
posted by Annika Cicada at 10:22 AM on May 1, 2018 [2 favorites]


Best answer: new feature request: Allow an answerer to answer the OP's comment as the best answer :-)
posted by Annika Cicada at 10:24 AM on May 1, 2018 [4 favorites]


« Older Looking for a nursing agency/aide near Rockland...   |   mindfulness healing book thing? Newer »
This thread is closed to new comments.


Tags

Share