Automatically Deploy SSL Certificates to User Profiles

by Carl Behrent, CTA


We have a number of external Healthcare ministry websites that an SSL certificate before the website can be accessed. We had a manual method of removing the expired certificate and installing the new certificate, this results in a number of help desk calls for assistance.

We wanted a process that would:

  • Reduce help desk calls
  • Be automated and transparent to the end user
  • Only apply the certificate to users in an AD group
  • Be an easy process for IT to replace the certificate annually


Putting the word out to the Citrix community, I got assistance from some others who had the same scenario.

We use two files: a VBS and PS1 file get put into the NETLOGON share and use GPO to call up the VBS script.

The VBS script does the following:

  • Runs the PS1 file
  • Doesn’t display the command prompt window – so invisible to the end user

The PS1 script does the following:

  • Removes the expired certificate using the thumbprint of that certificate.
  • Imports the new certificate from a file server common location into the user’s profile with the certificate password

NOTE: The files can be downloaded from here:

1. Deploy Script via GPO

I created a GPO and modified the Logon Script path to run the VBS file above.

User Configuration > Policies > Windows Settings > Scripts > Logon

– Script Name: \\\NETLOGON\Certificates\ImportPFXcert.vbs

2. Apply Security to GPO

In our case we wanted to deploy the certificates to users in a certain AD Group.

Follow this procedure exactly otherwise the GPO won’t apply

  1. Under Security Filtering leave Authenticated Usersdo not remove!!
  2. Click Delegation tab
  3. Click Advanced button
  4. Select Authenticated Users, untick ‘Apply Group Policy’ under Allow only
  5. Add in AD Group, tick ‘Apply Group Policy’ under Allow
  6. If you go back to Security Filtering you’ll notice Authenticated Users has now gone and your AD Group is listed, don’t worry about this.

Extra Info

Process for getting the thumbprint of the expiring certificate

  1. Log in as a user who has the expiring certificate installed
  2. Run: Get-ChildItem -path cert:\CurrentUser\My – this will show all installed certificates for that user, note down the thumbprint
  3. In the PS1 script edit the line Remove-Item …. and include the new thumbprint

Leave a Reply