Click here to get back home

How to deploy the certificates used to sign an Infopath Form Templ
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to deploy the certificates used to sign an Infopath Form Templ Alun Jones 02-22-2006
Get Chitika Premium
Posted by Alun Jones on February 22, 2006, 4:37 pm
Please log in for more thread options
 Okay, so I've signed the form template in InfoPath, and posted it to a
Sharepoint Forms Library.

Now, my users are asked if they want to trust the certificate.

Since this is in an enterprise, I'd really like it if they already trusted
the certificate.

Obviously, there's two certificates I have to deploy at my users' systems -
one is the certificate with which I signed the template, and this must be
installed into "Trusted Publishers"; the other is the root CA certificate,
which needs to be installed in "Trusted Root CAs".

Is there documentation that lists how I can roll out these certificates to
an enterprise - is this something a Group Policy Object can do?

Up until now, I've been more on the developer side of certificates and PKI,
so the administrative side is new to me.

Posted by Steven L Umbach on February 22, 2006, 7:24 pm
Please log in for more thread options
 Yes you can use Group Policy for computers that are in an AD domain. Look
under computer configuration/Windows settings/security settings/public key
policies for trusted root CA and for enterprise trust where you can create a
CTL that includes the publisher certificate. The links below explain
re. --- Steve

http://msdn2.microsoft.com/en-us/library/01daf08f.aspx
http://technet2.microsoft.com/WindowsServer/en/Library/2c03582f-00b2-43e5-ae1d-493894ad0fd71033.mspx

> Okay, so I've signed the form template in InfoPath, and posted it to a
> Sharepoint Forms Library.
>
> Now, my users are asked if they want to trust the certificate.
>
> Since this is in an enterprise, I'd really like it if they already trusted
> the certificate.
>
> Obviously, there's two certificates I have to deploy at my users'
> systems -
> one is the certificate with which I signed the template, and this must be
> installed into "Trusted Publishers"; the other is the root CA certificate,
> which needs to be installed in "Trusted Root CAs".
>
> Is there documentation that lists how I can roll out these certificates to
> an enterprise - is this something a Group Policy Object can do?
>
> Up until now, I've been more on the developer side of certificates and
> PKI,
> so the administrative side is new to me.



Posted by Alun Jones on March 6, 2006, 9:22 pm
Please log in for more thread options
>Yes you can use Group Policy for computers that are in an AD domain. Look
>under computer configuration/Windows settings/security settings/public key
>policies for trusted root CA and for enterprise trust where you can create a
>CTL that includes the publisher certificate. The links below explain
>re. --- Steve
>
>http://msdn2.microsoft.com/en-us/library/01daf08f.aspx
>http://technet2.microsoft.com/WindowsServer/en/Library/2c03582f-00b2-43e5-ae1d-
>493894ad0fd71033.mspx

Thanks for the links, but I'm having trouble with the CTL creation - it tells
me that I'm importing certificates of the wrong type. The only type it will
accept are self-signed CA certificates, and reading further into the
documentation, that seems to make sense - the CTL in Enterprise Trusts is a
list of CAs that we trust to sign certificates for certain purposes.

You can see why I'm having trouble finding exactly where to put this
certificate.

Recap:

I have a form, signed and published. The code signing certificate _and_ the
CA need to be installed on the user's certificate store in order for the user
not to be pestered by dialog boxes on which he will press the wrong buttons,
or be scared away.

I can roll out the CA certificate with no problems whatsoever, but I cannot
find a place to roll out the code signing certificate so that it automatically
ends up in the Trusted Publishers store of all of my users.

Enterprise Trust would seem to be where the Microsoft articles are suggesting,
but research into the documentation says no, as well as the GPO Management
tool itself, which refuses to let me add anything but a self-signed CA
certificate.

So, how do I get the code-signing certificate into the Trusted Publishers
store for my users?

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Posted by Alun Jones on March 10, 2006, 1:58 pm
Please log in for more thread options
I tried to post this yesterday, but it didn't come through. Apologies if
this is a repeat.

After much effort, and a little tinkering (full story on my blog at
http://msmvps.com/alunj), I found that the answer is that you don't use a
CTL, despite whatever Microsoft's documentation may say on the matter.

The way to deploy a code signing certificate to the Trusted Publishers store
is to create a Group Policy Object with Software Restriction Policies added.
Add a Certificate Rule for each certificate that you're deploying, with the
certificate set to the code-signing certificate, and the Security Level set
to "Unrestricted".

If you also need to deploy the root CA certificate, you can do that as
specified in the Microsoft documentation as a Trusted Root.

Alun.
~~~~

"Alun Jones" wrote:

> Okay, so I've signed the form template in InfoPath, and posted it to a
> Sharepoint Forms Library.
>
> Now, my users are asked if they want to trust the certificate.
>
> Since this is in an enterprise, I'd really like it if they already trusted
> the certificate.
>
> Obviously, there's two certificates I have to deploy at my users' systems -
> one is the certificate with which I signed the template, and this must be
> installed into "Trusted Publishers"; the other is the root CA certificate,
> which needs to be installed in "Trusted Root CAs".
>
> Is there documentation that lists how I can roll out these certificates to
> an enterprise - is this something a Group Policy Object can do?
>
> Up until now, I've been more on the developer side of certificates and PKI,
> so the administrative side is new to me.

Posted by Steven L Umbach on March 10, 2006, 9:02 pm
Please log in for more thread options
Thanks for reporting back what worked and sorry to give you a link that was
a wrong turn! --- Steve


>I tried to post this yesterday, but it didn't come through. Apologies if
> this is a repeat.
>
> After much effort, and a little tinkering (full story on my blog at
> http://msmvps.com/alunj), I found that the answer is that you don't use a
> CTL, despite whatever Microsoft's documentation may say on the matter.
>
> The way to deploy a code signing certificate to the Trusted Publishers
> store
> is to create a Group Policy Object with Software Restriction Policies
> added.
> Add a Certificate Rule for each certificate that you're deploying, with
> the
> certificate set to the code-signing certificate, and the Security Level
> set
> to "Unrestricted".
>
> If you also need to deploy the root CA certificate, you can do that as
> specified in the Microsoft documentation as a Trusted Root.
>
> Alun.
> ~~~~
>
> "Alun Jones" wrote:
>
>> Okay, so I've signed the form template in InfoPath, and posted it to a
>> Sharepoint Forms Library.
>>
>> Now, my users are asked if they want to trust the certificate.
>>
>> Since this is in an enterprise, I'd really like it if they already
>> trusted
>> the certificate.
>>
>> Obviously, there's two certificates I have to deploy at my users'
>> systems -
>> one is the certificate with which I signed the template, and this must be
>> installed into "Trusted Publishers"; the other is the root CA
>> certificate,
>> which needs to be installed in "Trusted Root CAs".
>>
>> Is there documentation that lists how I can roll out these certificates
>> to
>> an enterprise - is this something a Group Policy Object can do?
>>
>> Up until now, I've been more on the developer side of certificates and
>> PKI,
>> so the administrative side is new to me.



Similar ThreadsPosted
Digitally sign text files? October 26, 2005, 1:29 pm
How are derived the crypto keys used in SMB client and server Sign November 27, 2005, 3:41 pm
Firewall difference form exception and advanced setting serivce April 28, 2007, 10:49 am
Deploy Root CA to 98 August 17, 2005, 3:01 pm
Can I delete 'Athenticated Users' group form local 'Users' group January 29, 2008, 11:52 am
Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ? March 26, 2008, 6:20 am
Certificates April 5, 2007, 5:38 pm
two CA certificates for IPSec or something... September 17, 2005, 3:58 pm
Certificates are not published October 17, 2005, 3:31 pm
Certificates 802.1X Auth. November 21, 2005, 11:07 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap