How to deploy the certificates used to sign an Infopath Form Templ

Alun Jones · Feb 22, 2006

Okay, so I've signed the form template in InfoPath, and posted it to a
Sharepoint Forms Library.

Now, my users are asked if they want to trust the certificate.

Since this is in an enterprise, I'd really like it if they already trusted
the certificate.

Obviously, there's two certificates I have to deploy at my users' systems -
one is the certificate with which I signed the template, and this must be
installed into "Trusted Publishers"; the other is the root CA certificate,
which needs to be installed in "Trusted Root CAs".

Is there documentation that lists how I can roll out these certificates to
an enterprise - is this something a Group Policy Object can do?

Up until now, I've been more on the developer side of certificates and PKI,
so the administrative side is new to me.

Steven L Umbach · Feb 23, 2006

Yes you can use Group Policy for computers that are in an AD domain. Look
under computer configuration/Windows settings/security settings/public key
policies for trusted root CA and for enterprise trust where you can create a
CTL that includes the publisher certificate. The links below explain
re. --- Steve

http://msdn2.microsoft.com/en-us/library/01daf08f.aspx
http://technet2.microsoft.com/WindowsServer/en/Library/2c03582f-00b2-43e5-ae1d-493894ad0fd71033.mspx

Alun Jones · Mar 7, 2006

"Steven L Umbach" said:
Yes you can use Group Policy for computers that are in an AD domain. Look
under computer configuration/Windows settings/security settings/public key
policies for trusted root CA and for enterprise trust where you can create a
CTL that includes the publisher certificate. The links below explain
re. --- Steve

http://msdn2.microsoft.com/en-us/library/01daf08f.aspx
http://technet2.microsoft.com/WindowsServer/en/Library/2c03582f-00b2-43e5-ae1d-
493894ad0fd71033.mspx

Thanks for the links, but I'm having trouble with the CTL creation - it tells
me that I'm importing certificates of the wrong type. The only type it will
accept are self-signed CA certificates, and reading further into the
documentation, that seems to make sense - the CTL in Enterprise Trusts is a
list of CAs that we trust to sign certificates for certain purposes.

You can see why I'm having trouble finding exactly where to put this
certificate.

Recap:

I have a form, signed and published. The code signing certificate _and_ the
CA need to be installed on the user's certificate store in order for the user
not to be pestered by dialog boxes on which he will press the wrong buttons,
or be scared away.

I can roll out the CA certificate with no problems whatsoever, but I cannot
find a place to roll out the code signing certificate so that it automatically
ends up in the Trusted Publishers store of all of my users.

Enterprise Trust would seem to be where the Microsoft articles are suggesting,
but research into the documentation says no, as well as the GPO Management
tool itself, which refuses to let me add anything but a self-signed CA
certificate.

So, how do I get the code-signing certificate into the Trusted Publishers
store for my users?

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

Alun Jones · Mar 10, 2006

I tried to post this yesterday, but it didn't come through. Apologies if
this is a repeat.

After much effort, and a little tinkering (full story on my blog at
http://msmvps.com/alunj), I found that the answer is that you don't use a
CTL, despite whatever Microsoft's documentation may say on the matter.

The way to deploy a code signing certificate to the Trusted Publishers store
is to create a Group Policy Object with Software Restriction Policies added.
Add a Certificate Rule for each certificate that you're deploying, with the
certificate set to the code-signing certificate, and the Security Level set
to "Unrestricted".

If you also need to deploy the root CA certificate, you can do that as
specified in the Microsoft documentation as a Trusted Root.

Alun.
~~~~

Steven L Umbach · Mar 11, 2006

Thanks for reporting back what worked and sorry to give you a link that was
a wrong turn! --- Steve

Alun Jones · Mar 12, 2006

"Steven L Umbach" said:
Thanks for reporting back what worked and sorry to give you a link that was
a wrong turn! --- Steve

Eh... that's a whole lot better than anyone else here did.

Even if you feel like that wasn't much use, you at least confirmed to me that
the articles I had found were pretty much the limit of the documentation, and
that there wasn't some gem of a document buried in the myre.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

Why can't I find a Digital Signature in InfoPath 2007 to sign my c	4	Mar 23, 2009
How to request and install a code signing certificate...	2	Jan 7, 2009
My certificate does not appear in the Select Certificate	1	Mar 19, 2009
SSL Client certificate in IIS 6.0. Different root CAs?	2	Nov 17, 2010
Users can't sign the infopath form	0	Jun 13, 2007
assigning digital certificate	1	May 31, 2007
How to add certificates to the "Trusted Publishers" ?	1	Mar 28, 2007
Trust problems with Infopath	0	Mar 2, 2009

How to deploy the certificates used to sign an Infopath Form Templ

Alun Jones

Steven L Umbach

Alun Jones

Alun Jones

Steven L Umbach

Alun Jones

Ask a Question

Similar Threads