Yesterday I created an Unattended Installation of a webapplication. Of course it was “just a web link” and the application vendor usually says: you don’t need to install it just go the URL and that’s it.

The reality is usually that you go to the URL and need to install several (ActiveX) components and maybe other dependencies such as Java.

While a user may have the permissions for this on his own pc, on a Citrix or Terminal Server environment this is highly unlikely.

So we need to package and pre-install this for the users.

Nothing special so far but this particular application had some special things that were interesting enough to blog about.

So let’s start with what happened, I visited the URL of an application called Centric Key 2 Financien.

First I got a few popups with Certificates that needed to be accepted:


The application’s instructions say that the user must accept this and set the “Always trust content from this publisher” checkbox.

If you do that a file called trusted.certs is generated in %appdata%\Sun\Java\Deployment\Security.

So I think it’s better to pre-deploy these certificates so we don’t have to bother the user with accepting this (and relieve the helpdesk because the user will probably call them).

The easiest resolution would probably be to copy this trusted.certs file to a network share and deploy it to all users (eg with the Logon Script).

But what will happen if the user already had a trusted.certs file or if we have another application that wants to place certificates there?

As you have probably guessed by now I went for the “difficult” option and found another solution!

Java comes with a tool called keytool that is Java’s bin directory (C:\Program Files\Java\Jre6\Bin in my case).

We can use keytool to list the certificates in the trusted.certs file:

When keytool asks for the Store Password just press Enter. To be able to export the certificates we need the Alias name so we can filter that out:

In my case it showed the Aliases for 2 certificates:

Now that we know the Alias we can use the -export switch to export the certificate to a .cer file:

Now we can deploy the Certificates using Group Policies, in my case I am adding the Certificates to the Citrix GPO.

Open the Policy, go to Computer Configuration | Windows Settings | Security Settings | Public Key Policies.

Now Right Click on Trusted Publishers and choose Import and import both Certificate Files:


You also need check if the Certificate can be resolved, in my case I needed to add the Thawte Code Signing CA to the Intermediate Certification Authorities store.

You can check the deployment by opening the MMC Certificates Addin (for Current User) as a user that has the policy applied:


Double Click the Certificate and check if the Certificate status is OK and the Certification Path resolves:


The last step is to the application, close any open browsers, delete the existing trusted.certs file and op the URL again.

If all is OK, the application should open without any Certificate Popups:


Now close the Application and the Browser and confirm that the trusted.certs file was not created again.

I hope you enjoyed this article, please leave some comments if you found it useful.