Import Certificates to user account in AD

Import Certificates to user account in AD

Post by RmlsaXAgTW » Tue, 09 Aug 2005 16:33:02


Hallo everyone.

Does anyone know, how to do bulk import certificates to user accounts, which
you normally do this way:

Right click onto user account in AD / Name mappings... / on the card X.509
Certificates click add...

Thank you for answer.

Filip Markes
 
 
 

Import Certificates to user account in AD

Post by MVP - AD » Tue, 09 Aug 2005 23:26:04

You could potentially script this if VBScript handles byte arrays correctly
(not sure, not a scripter). It is trivially easy to do in .NET and probably
very easy in regular VB as well (or LDIF or PERL for that matter).

The hardest part is having a bulk source of the binary DER-encoded
certificates for each user available. After that, you just read them in to
a byte array and set an attribute value for the user's userCertificate
attribute to the byte array for each certificate for the user.

If you want to set userSMIMECertificate, this is a much bigger deal as it
expects a PKCS#7 Signed Data object which means that you must have the
certificate's private key to sign the blob. I also don't think there is an
easy way to create the blob and sign it without the C++ crypto API or
another crypto library.

HTH,

Joe K.

 
 
 

Import Certificates to user account in AD

Post by RmlsaXAgTW » Wed, 10 Aug 2005 00:31:55

Hallo Joe!

Thanks for quick answer.
I already moved forward with this case. Easy script, which you can easily
modify for bulk mapping is VBS:

Const ADS_PROPERTY_APPEND = 3

Set oUser = GetObject ("LDAP://CN=Josef Novak,OU=CertTest,dc=contoso,dc=com")
oUser.PutEx ADS_PROPERTY_APPEND, "altSecurityIdentities", _
Array("X509:<I>S=Czech
Republic,L=Praque,O=Contoso,E= XXXX@XXXXX.COM ,CN=Josef Novak<S>S=Czech
Republic,L=Praque,O=Contoso,E= XXXX@XXXXX.COM ,CN=Josef Novak")

oUser.SetInfo


It modifies "altSecurityIdentities" attribute in user account object in AD.

I hope this will help.


Thank you

Filip Markes
 
 
 

Import Certificates to user account in AD

Post by MVP - AD » Wed, 10 Aug 2005 01:25:06

Ah, this is slightly different from what I was talking about as this is not
actually adding the user's certificates to AD, but setting the
altSecurityIdentities. That attribute is more straightforward as it is a
simple string syntax.

Depending on what is needed, either or both might be appropriate. If adding
the binary certificates to AD was not what was desired, then I apologize for
the misunderstanding.

Cheers,

Joe K.