Utilizing a software package to install per-user certificates

Learn how to easily and efficiently install certificates using a software package for enhanced security and privacy.

Written by Jason

Last published at: January 10th, 2025

 

 

In the my.thinscale.com portal under Software Packages -→ General, we have a package that can be customized to install certificates.

 

Please note you may need to consult with the subject matter expert for the application/service that uses the certificate to see where it requires it to be installed.  You also may examine a machine that is already set up with the certificate to check the attributes.

 

The first step to take when deploying certificates is to collect some information to determine where the certificates should be installed.


 

  • Check if your certificate should be installed to Current User or Local Machine.

    If you search for “cert” in Windows it will present you with the Console options for managing user certificates (certmgr.msc) vs local machine/computer certificates (certlm.msc).

First this guide will cover installing a user certificate to the Personal certificates store, “bob.crt”, which is an example certificate.

1.   Open the package either in your Management Console or your Package Creator so we can edit it.  First add the certificate file you are intending to use to the package in the Install Files tab

2.  Next we need to set a Pre-Install Test so that the package will only deploy the certificate if it's missing.  The package includes a script that can test if a cert is present with its identifying thumbprint.

               a.  One method to get the thumbprint is to double-click/open the certificate and look at the details tab to check the thumbprint

               b.  You can also query via Powershell if the cert has already been installed.

Get-ChildItem -Path Cert:\CurrentUser\My | Select-Object Subject, Thumbprint

 

 

2a.  Edit the Pre-Install test to insert a Script check similar to below, being sure to replace the certificate thumbprint with the one you're using:

(Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq "921B97842F23474D8961BFD54911C298316AA558"}) -ne $null

2b.  For the Test Expression, set it equal to false, similar to above

 

 

3.  Finally, in the Install Script tab, swap out the $cert with the matching name of the certificate you are deploying.

Note: the included script in the package is for .cer, .crt, and .pem certificate types.

 

If instead you are deploying a .pfx or .p12 certificate, you will need to use a script similar to the example below:

Import-PfxCertificate -FilePath $certObj.FullName -CertStoreLocation Cert:\CurrentUser\My

Additionally, if your certificate has a password, you will also need to add an additin to your script on the next line similar to below.  Please be sure to replace “YourPassword” with the password for your cert.

$password = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
Import-PfxCertificate -FilePath $certObj.FullName -CertStoreLocation Cert:\CurrentUser\My -Password $password