Jump to content
Welcome to our new Citrix community!
  • Automatically Deploy SSL Certificates to User Profiles


    carlbehrentrnd.png by Carl Behrent, CTA


    We have a number of external Healthcare ministry websites that an SSL certificate before the website can be accessed. We had a manual method of removing the expired certificate and installing the new certificate, this results in a number of help desk calls for assistance.

    We wanted a process that would:

    • Reduce help desk calls
    • Be automated and transparent to the end user
    • Only apply the certificate to users in an AD group
    • Be an easy process for IT to replace the certificate annually


    Putting the word out to the Citrix community, I got assistance from some others who had the same scenario.

    We use two files: a VBS and PS1 file get put into the NETLOGON share and use GPO to call up the VBS script.

    The VBS script does the following:

    • Runs the PS1 file
    • Doesn't display the command prompt window - so invisible to the end user

    The PS1 script does the following:

    • Removes the expired certificate using the thumbprint of that certificate.
    • Imports the new certificate from a file server common location into the user's profile with the certificate password

    NOTE: The files can be downloaded from here:

    1. Deploy Script via GPO

    I created a GPO and modified the Logon Script path to run the VBS file above.

    User Configuration > Policies > Windows Settings > Scripts > Logon

    – Script Name: \\\NETLOGON\Certificates\ImportPFXcert.vbs

    2. Apply Security to GPO

    In our case we wanted to deploy the certificates to users in a certain AD Group.

    Follow this procedure exactly otherwise the GPO won’t apply

    1. Under Security Filtering leave Authenticated Usersdo not remove!!
    2. Click Delegation tab
    3. Click Advanced button
    4. Select Authenticated Users, untick ‘Apply Group Policy’ under Allow only
    5. Add in AD Group, tick ‘Apply Group Policy’ under Allow
    6. If you go back to Security Filtering you’ll notice Authenticated Users has now gone and your AD Group is listed, don’t worry about this.

    Extra Info

    Process for getting the thumbprint of the expiring certificate

    1. Log in as a user who has the expiring certificate installed
    2. Run: Get-ChildItem -path cert:\CurrentUser\My - this will show all installed certificates for that user, note down the thumbprint
    3. In the PS1 script edit the line Remove-Item .... and include the new thumbprint

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...