Install a new SSL-certificate on Windows XP machines

On one of the networks I maintain, I had to roll-out a new SSL-certificate for the IMAP-SSL Services. The old certificate would expire within a few days. On this network the most users, uses MS Windows XP in combination with a samba-fileserver.

Some time ago, I roll-out the logon.bat stuff. Every user on the network has in his ‘Startup’ folder an LNK-file who calls a netlogon script on the server which take care of the next stuff:

  • Remove all existing network-shares
  • Connect the H-drive to their personal share on the server
  • Connect the P-drive to the public-share on the server
  • Resets, by injecting registry data, the Proxy-settings for IE

So I want to use this script to roll-out the new certificate… but it is not so easy on a Windows system
I needed a tool who was able to add a certificate from the commandline to the certificate-store.
After some search, I found the tool certutil.exe.

But getting certutil.exe was not so easy… it is part of the Windows 2k3 servers, but a 2k3 server isn’t the problem So I copied the file and a dll out and placed it on the Samba server… added a line to the logon.bat

p:networkbincertutil.exe -addstore -f -user root p:networkcertnew.cer

The users receive only the first time a security warning, with the question if they want to install the certificate…

and if they don’t want to install the certificate… they won’t have e-mail