• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1043
  • Last Modified:

Need to install a root certificate with a script on winXP

We want to install a root certificate on several 1000 computers still running Windows XP. The users have local admin rights. We made a script using certutil from the Adminpack tool for windows 2003 server. But looks like we have problem with the rights to install it.

The string we try to use is this:

c:\temp\certutil.exe -dspublish -f c:\temp\certificate.cer RootCA

We put both certutil,certadm.dll and the certificate in the c:\temp folder.

The error message we got is this:


402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ldap:///CN=NAF-DATA ROOT CA,CN=Certification Authorities,CN=Public Key Services,
CN=Services,CN=Configuration,DC=oslotst,DC=no?cACertificate

429.666.0: 0x32 (50): CN=Certification Authorities,CN=Public Key Services,CN=Ser
vices,CN=Configuration,DC=oslotst,DC=no
429.2129.0: 0x32 (50): 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACC
ESS_RIGHTS), data 0

429.670.0: 0x80070005 (WIN32: 5): CN=Certification Authorities,CN=Public Key Ser
vices,CN=Services,CN=Configuration,DC=oslotst,DC=no
429.1458.0: 0x32 (50): CN=NAF-DATA ROOT CA,CN=Certification Authorities,CN=Publi
c Key Services,CN=Services,CN=Configuration,DC=oslotst,DC=no
429.2129.0: 0x32 (50): 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACC
ESS_RIGHTS), data 0

429.1467.0: 0x80070005 (WIN32: 5): ldap: 0x32: 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

429.1473.0: 0x80070005 (WIN32: 5): ldap: 0x32: 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

429.1616.0: 0x80070005 (WIN32: 5)
429.813.0: 0x80070005 (WIN32: 5): CN=NAF-DATA ROOT CA,CN=Certification Authoriti
es,CN=Public Key Services,CN=Services,CN=Configuration,DC=oslotst,DC=no
429.2129.0: 0x20 (32): 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT
), data 0, best match of:
        'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Conf
iguration,DC=oslotst,DC=no'

429.901.0: 0x8007208d (WIN32: 8333): CN=NAF-DATA ROOT CA,CN=Certification Author
ities,CN=Public Key Services,CN=Services,CN=Configuration,DC=oslotst,DC=no
429.1262.0: 0x8007208d (WIN32: 8333)
307.4186.0: 0x80070005 (WIN32: 5)
ldap: 0x32: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS)
, data 0
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0,
best match of:
        'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Conf
iguration,DC=oslotst,DC=no'

307.4836.0: 0x80070005 (WIN32: 5)
307.5118.0: 0x80070005 (WIN32: 5)
CertUtil: -dsPublish command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Ingen tilgang.
301.3128.0: 0x80070005 (WIN32: 5)




Any tip to what is missing???
0
NAF-Data
Asked:
NAF-Data
  • 3
1 Solution
 
khairilCommented:
Hi,

Are XP computer attach to domain?
Have you tried to use manual way, by click and install?
0
 
NAF-DataAuthor Commented:
All the computers are domain memeber. But there are 700 domains, and they are NOT in a domain tree structure. (It is 700 different locations). A manual install is working. I can copy the file to the computer, double click it and the certificate will install.
0
 
ParanormasticCryptographic EngineerCommented:
That command tries to publish to AD.  You can do that with Enterprise or Domain admin rights.  the rest is done via GPO.

Alternatively, for a local command using local admin rights:
certutil -addstore root ROOTCA.CER
certutil -addstore ca SUBORDINATECA.CER

If someone does not have local admin, they could install to HKCU instead of HKLM by adding -user after certutil and before -addstore
0
 
NAF-DataAuthor Commented:
I replaced the certutil.exe with CertMgr.exe and everything worked. Dont know why CertUtil did'nt work though.
0
 
NAF-DataAuthor Commented:
the change worked
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now