Need to install a root certificate with a script on winXP
We want to install a root certificate on several 1000 computers still running Windows XP. The users have local admin rights. We made a script using certutil from the Adminpack tool for windows 2003 server. But looks like we have problem with the rights to install it.
The string we try to use is this:
c:\temp\certutil.exe -dspublish -f c:\temp\certificate.cer RootCA
We put both certutil,certadm.dll and the certificate in the c:\temp folder.
The error message we got is this:
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ldap:///CN=NAF-DATA ROOT CA,CN=Certification Authorities,CN=Public Key Services,
CN=Services,CN=Configurati
429.666.0: 0x32 (50): CN=Certification Authorities,CN=Public Key Services,CN=Ser
vices,CN=Configuration,DC=
429.2129.0: 0x32 (50): 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACC
ESS_RIGHTS), data 0
429.670.0: 0x80070005 (WIN32: 5): CN=Certification Authorities,CN=Public Key Ser
vices,CN=Services,CN=Confi
429.1458.0: 0x32 (50): CN=NAF-DATA ROOT CA,CN=Certification Authorities,CN=Publi
c Key Services,CN=Services,CN=Co
429.2129.0: 0x32 (50): 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACC
ESS_RIGHTS), data 0
429.1467.0: 0x80070005 (WIN32: 5): ldap: 0x32: 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
429.1473.0: 0x80070005 (WIN32: 5): ldap: 0x32: 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
429.1616.0: 0x80070005 (WIN32: 5)
429.813.0: 0x80070005 (WIN32: 5): CN=NAF-DATA ROOT CA,CN=Certification Authoriti
es,CN=Public Key Services,CN=Services,CN=Co
429.2129.0: 0x20 (32): 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT
), data 0, best match of:
'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
iguration,DC=oslotst,DC=no
429.901.0: 0x8007208d (WIN32: 8333): CN=NAF-DATA ROOT CA,CN=Certification Author
ities,CN=Public Key Services,CN=Services,CN=Co
429.1262.0: 0x8007208d (WIN32: 8333)
307.4186.0: 0x80070005 (WIN32: 5)
ldap: 0x32: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS)
, data 0
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0,
best match of:
'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
iguration,DC=oslotst,DC=no
307.4836.0: 0x80070005 (WIN32: 5)
307.5118.0: 0x80070005 (WIN32: 5)
CertUtil: -dsPublish command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Ingen tilgang.
301.3128.0: 0x80070005 (WIN32: 5)
Any tip to what is missing???
The string we try to use is this:
c:\temp\certutil.exe -dspublish -f c:\temp\certificate.cer RootCA
We put both certutil,certadm.dll and the certificate in the c:\temp folder.
The error message we got is this:
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ldap:///CN=NAF-DATA ROOT CA,CN=Certification Authorities,CN=Public Key Services,
CN=Services,CN=Configurati
429.666.0: 0x32 (50): CN=Certification Authorities,CN=Public Key Services,CN=Ser
vices,CN=Configuration,DC=
429.2129.0: 0x32 (50): 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACC
ESS_RIGHTS), data 0
429.670.0: 0x80070005 (WIN32: 5): CN=Certification Authorities,CN=Public Key Ser
vices,CN=Services,CN=Confi
429.1458.0: 0x32 (50): CN=NAF-DATA ROOT CA,CN=Certification Authorities,CN=Publi
c Key Services,CN=Services,CN=Co
429.2129.0: 0x32 (50): 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACC
ESS_RIGHTS), data 0
429.1467.0: 0x80070005 (WIN32: 5): ldap: 0x32: 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
429.1473.0: 0x80070005 (WIN32: 5): ldap: 0x32: 00000005: SecErr: DSID-03151E04,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
429.1616.0: 0x80070005 (WIN32: 5)
429.813.0: 0x80070005 (WIN32: 5): CN=NAF-DATA ROOT CA,CN=Certification Authoriti
es,CN=Public Key Services,CN=Services,CN=Co
429.2129.0: 0x20 (32): 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT
), data 0, best match of:
'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
iguration,DC=oslotst,DC=no
429.901.0: 0x8007208d (WIN32: 8333): CN=NAF-DATA ROOT CA,CN=Certification Author
ities,CN=Public Key Services,CN=Services,CN=Co
429.1262.0: 0x8007208d (WIN32: 8333)
307.4186.0: 0x80070005 (WIN32: 5)
ldap: 0x32: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS)
, data 0
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0,
best match of:
'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Co
iguration,DC=oslotst,DC=no
307.4836.0: 0x80070005 (WIN32: 5)
307.5118.0: 0x80070005 (WIN32: 5)
CertUtil: -dsPublish command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Ingen tilgang.
301.3128.0: 0x80070005 (WIN32: 5)
Any tip to what is missing???
ASKER
All the computers are domain memeber. But there are 700 domains, and they are NOT in a domain tree structure. (It is 700 different locations). A manual install is working. I can copy the file to the computer, double click it and the certificate will install.
That command tries to publish to AD. You can do that with Enterprise or Domain admin rights. the rest is done via GPO.
Alternatively, for a local command using local admin rights:
certutil -addstore root ROOTCA.CER
certutil -addstore ca SUBORDINATECA.CER
If someone does not have local admin, they could install to HKCU instead of HKLM by adding -user after certutil and before -addstore
Alternatively, for a local command using local admin rights:
certutil -addstore root ROOTCA.CER
certutil -addstore ca SUBORDINATECA.CER
If someone does not have local admin, they could install to HKCU instead of HKLM by adding -user after certutil and before -addstore
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the change worked
Are XP computer attach to domain?
Have you tried to use manual way, by click and install?