I am looking to distribute a ssl client certificate to Citrix users.
I know that for each user I could run this:
certutil –f –p 12345 –importpfx C:\cert.pfx
The above would install the certificate to the the users Personal store and this would allow them access, but would be hard to manage for many users.
I am wondering if there is another store on the server where I can install the ssl certificate that will allow all users access to the ssl certificate? Or if there is a better way to distribute the client certificate for each user?
Thanks!
There are a couple of options using group policy (which would probably be the best option and most manageable).
For a server certificate that identifies the server you are connecting to, you just need to make sure that the Certificate Authority (CA) that created the cert is trusted by the machine that the user is on, for public trusted CAs this is handled for you (verisign, geotrust, etc. are trusted by microsoft and automatically have the references), however if it is an internal CA using group policy you edit the following node: Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
Add the public key (do not publish the private key) to that node and make sure it is set to a Group Policy that contains the computers you want to trust the server.
If you want to trust a user certificate there is a bit more involved as you need to have autoenrollment for certificates in your internal CA. See this walkthrough about creating an autoenrollment policy for users using a CA template: http://technet.microsoft.com/en-us/library/cc770857.aspx
You will need to trust the CA providing the user certificates on the citrix server to ensure that the server will accept the certificate as a valid user identification.
Hopefully that will give you what you need.