Why?
Why not use Group Policy and AD to manage user certificates?
These are 3rd party certificates and we wish to assign friendly names when they show up in the personal store. But we need to know when they show up to do so. I'm not aware of any basic functionality in Windows that allows for the permanent assignment of friendly names to certificates that are only assigned to the personal store as long as the smart card is in the reader. That is my "why"
- Edited by Smitty Werbenjagermanjensen 12 hours 49 minutes ago
There is no automatic way to do this. You can grab the event in the event log that is generated. I\t should have all of the cert info like subject. This will allow you to run an event log task that can rename the cert.
First learn to use EL tasks and how to add scripts. There are a number of blogs on this.
Look at the registry and decide which events are useful.
Here is a bootstrap. This is the kind of event generated when a cert has an issue or is added or removed.
Log Name: Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational Source: Microsoft-Windows-CertificateServicesClient-Lifecycle-User Date: 7/15/2015 6:12:04 PM Event ID: 1003 Task Category: None Level: Warning Keywords: User: W8TEST\jsmith Computer: W8Test Description: A certificate is about to expire. Please refer to the "Details" section for more information. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-User" Guid="{bea18b89-126f-4155-9ee4-d36038b02680}" /> <EventID>1003</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2015-07-15T22:12:04.223422100Z" /> <EventRecordID>99</EventRecordID> <Correlation /> <Execution ProcessID="2816" ThreadID="3608" /> <Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational</Channel> <Computer>W8Test</Computer> <Security UserID="XXXXXXXXXXXXXXXXXXXXXXXXX" /> </System> <UserData> <CertNotificationData ProcessName="taskhost.exe" AccountName=XXXXXXXXX" Context="User"> <CertificateDetails Thumbprint="1d32c66b90b66034444444444e3417d29e"> <EKUs> <EKU Name="Client Authentication" OID="1.3.6.1.5.5.7.3.2" /> </EKUs> <NotValidAfter>2015-07-16T00:11:12Z</NotValidAfter> </CertificateDetails> </CertNotificationData> </UserData> </Event>
You need to look up the event ID for an added cert. Add a cert and look at this store for the new cert.
You can define and install the tasks via GP distribution of scheduled tasks.
Note that certs are not stored as files on the system. They are stored in an encrypted form.\
PowerShell can directly read the cert store.
dir cert:\CurrentUser\My
You cannot park event on the cert store with a scripting system. It may not be at all possible with code.
Here is a blog on how to use the new cert events and definitions of all events:
http://blogs.msdn.com/b/key_developments/archive/2013/03/13/windows-8-certificate-notifications.aspx
These are 3rd party certificates and we wish to assign friendly names when they show up in the personal store. But we need to know when they show up to do so. I'm not aware of any basic functionality in Windows that allows for the permanent assignment of friendly names to certificates that are only assigned to the personal store as long as the smart card is in the reader. That is my "why"
- Edited by Smitty Werbenjagermanjensen Wednesday, July 22, 2015 6:20 PM
These are 3rd party certificates and we wish to assign friendly names when they show up in the personal store. But we need to know when they show up to do so. I'm not aware of any basic functionality in Windows that allows for the permanent assignment of friendly names to certificates that are only assigned to the personal store as long as the smart card is in the reader. That is my "why"
- Edited by Smitty Werbenjagermanjensen Wednesday, July 22, 2015 6:20 PM
It appears I found a way to do this. We are not running Windows 8 so unfortunately, I cannot make use of the new events and I can't find any other event id in Windows 7 that is tied to a certificate registration. However, I found that if I use FileSystemWatcher to monitor the user's local certificate store (userid\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\) for the creation of new files (addition of a certificate) then I can trigger the routine to run through the user's certificate inventory and modify the friendly name property.
Seems to be working.