Site icon BLOGS

Automatically Deploy SSL Certificates to User Profiles

by Carl Behrent, CTA


We have a number of external Healthcare ministry websites that an SSL certificate before the website can be accessed. We had a manual method of removing the expired certificate and installing the new certificate, this results in a number of help desk calls for assistance.

We wanted a process that would:


Putting the word out to the Citrix community, I got assistance from some others who had the same scenario.

We use two files: a VBS and PS1 file get put into the NETLOGON share and use GPO to call up the VBS script.

The VBS script does the following:

The PS1 script does the following:

NOTE: The files can be downloaded from here:

1. Deploy Script via GPO

I created a GPO and modified the Logon Script path to run the VBS file above.

User Configuration > Policies > Windows Settings > Scripts > Logon

– Script Name: \\\NETLOGON\Certificates\ImportPFXcert.vbs

2. Apply Security to GPO

In our case we wanted to deploy the certificates to users in a certain AD Group.

Follow this procedure exactly otherwise the GPO won’t apply

  1. Under Security Filtering leave Authenticated Usersdo not remove!!
  2. Click Delegation tab
  3. Click Advanced button
  4. Select Authenticated Users, untick ‘Apply Group Policy’ under Allow only
  5. Add in AD Group, tick ‘Apply Group Policy’ under Allow
  6. If you go back to Security Filtering you’ll notice Authenticated Users has now gone and your AD Group is listed, don’t worry about this.

Extra Info

Process for getting the thumbprint of the expiring certificate

  1. Log in as a user who has the expiring certificate installed
  2. Run: Get-ChildItem -path cert:\CurrentUser\My – this will show all installed certificates for that user, note down the thumbprint
  3. In the PS1 script edit the line Remove-Item …. and include the new thumbprint
Exit mobile version