Solved

import a pfx cert to remote PC's

Posted on 2014-03-26
27
2,634 Views
Last Modified: 2014-04-01
import a pfx cert to remote PC's. must be in Certification > Personal folder
0
Comment
Question by:NxJNY
  • 13
  • 13
27 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39956732
If you have Powershell 4 or win8 etc you can use import-pfxcertificate:

http://technet.microsoft.com/en-us/library/hh848625.aspx

Otherwise certutil would be your best option.

When you say personal above, do you mean the current user certificate store  ?
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39956800
thanks  becraig. here is my situation. i need to install a Cert so that users can authenticate through Radius, so i created a GP to push the cert out however the location of the cert when pushed out through GP goes to Trusted Root and i need it to go to Personal > Certificates
0
 
LVL 29

Expert Comment

by:becraig
ID: 39956805
ok so this sounds like you can simply use certutil since you are going to be saving to the local machine store.


gc serverlist.txt | % {invoke-command -computername $_ -scriptblock 
{
certutil -f -p pfxpassword-importpfx \\server\c$\path-to\pfx.pfx
}
}

Open in new window


something like the simple powershell script above should work.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 54

Expert Comment

by:McKnife
ID: 39958246
Hi.

on a domain? Then use GPO cert distribution.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39958889
i used GPO however the Cert goes into trusted Root and i need it to go into Personal > Certificates
0
 
LVL 29

Expert Comment

by:becraig
ID: 39958908
Did my script not work ?

Or do you need to do this viap GPO ?
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39958923
i am new at scripting. the script you sent i am trying to figure out how to run it. is it a bat script?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39958961
It is a powershell script.

Your options are:
1. You can run the script as a powershell script against your server list
2. You can run as bat I will provide a bat version below
3. You can follow the steps at this link below to setup a scheduled task to do this on each computer:
http://www.jasonpearce.com/blog/2012/02/02/import-pfx-certificate-via-group-policy-preferences/

Bat script:
**Assumes you have psexec and access to each computer.

You can run at command line:
for /f %a in (serverlist.txt) do psexec \\%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window


Or save as .bat:
for /f %%a in (serverlist.txt) do psexec \\%%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959039
what am i doing wrong with the bat script


@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959184
Hmm do you get an error of any sort ?

It seems to work for me.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959200
after i ran it the cert do not show up on the remote laptop. i ran the script exactly as it shows. if i do it from command prompt i get     %%a was unexpected at this time.

@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959262
Does the laptop have access to \\mypc3\cert\nxj-wireless.pfx if not the certutil command might fail

you can add a copy to your bat file:

@ECHO OFF
copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\
for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

del c:\temp\nxj-wireless.pfx
END 

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959290
in which location do i  place the file "laptoplist.txt" .
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39959319
Sorry I rushed my response, multitasking.

Save the text file any directory you can simply point to it:


@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959362
please ignore my last comment
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959392
it never ends... i now get a access denied error even though i am a domain admin

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on mylaptop5 with error code -2147024891.
Press any key to continue . . .
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959449
This is an access denied error on the laptop you are trying to run the cert update on.

psexec is running as system user if your credentials would be valid for certificate install you can change to psexec -u username -p password

also to end the batch file
Change END to :END
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959973
i am still getting the error


@ECHO OFF

copy \\mypc3\cert\nxjwireless.pfx \\%%a\C%\temp\
for /f %%a in (\\mypc3\cert\laptoplist.txt) do psexec -u admin -p adminpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxjwireless.pfx

del c:\temp\nxjwireless.pfx

:END

this is the result

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on 192.168.110.190 with error code -2147024891.
Could Not Find c:\temp\nxjwireless.pfx
Press any key to continue . . .


:END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39960002
As it says Access is denied do you have access to the target computer i.e. can the account you are running this under perform certificate installs on the target laptop ?


Are these laptops domain members ?
If so does your account have the required permissions ?

If the above two assumptions are correct, simply update the bat file as below

@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u yourusername -p yourpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END

Open in new window

                                           

Please be sure to add your username and password before running, if your account does have permissions .
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39960275
thanks for all your help becraig.... i now have more success. the script is running without errors however i don't see the cert in the Personal > Certifications folder after the script has ran...
0
 
LVL 29

Expert Comment

by:becraig
ID: 39960293
on the target computer, simply run mmc.exe - add remove snapin - certificates - computer account - local computer - Personal- certificates.


Once the password was correct etc you should see the certificate there, if it is already open just refresh.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39966475
i thank you for your time becraig, i was out on Friday. i think i will give up on the cert script. the issue i am seeing is it's not getting install under the Personal > Certificate. if i run the script and remove the last part "del c:\temp\nxj-wireless.pfx" i see the certificate gets placed in the temp folder so i know the script is working that far however it does not place the cert in the Personal > Certificate.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39966501
You final solution for this would be just as simple.
You can simply add a batch file to check for the existence of the cert on the laptop and install if missing.

This can be run from a logon script that fetches the pfx and pfx password from a central server at the time of each user logon.

That might be the best approach since you seem to have permission issues on the client machines.


Also try running this from the command line against the laptop the pfx is present on right now:

psexec  -u yourusername -p yourpassword \\laptopname cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

Paste the output from that command here.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39966556
looks like you are correct i don't have permission

C:\Users\NxJ>psexec  -u NxJ -p domainpass \\mylaptop6 cmd /c certutil -f
 -p newcertpass-importpfx c:\temp\nxj-wireless.pfx

PsExec v2.1 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start cmd on mylaptop6:
The user name or password is incorrect.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39966575
If you want we can just simply write a quickly batch file you can place on all clients to run at startup.

This can check a network resource for the pfx file and the password then install locally under that user's context.

It will work just as well and you can decide who has access to the share so the pfx and the password are still protected.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39967745
ok so i made a small mistake that cost me. i forgot because i am an administrator i needed to place the domain in front of my username.
this is the working script

@ECHO OFF

for /f  %%a in (\\myserver\my.Share\cert\laptoplist.txt) do copy \\myserver\my.Share\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u mydomain\myusername -p mypassword \\%%a cmd /c certutil -f -p certpassword -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39967762
Good this is now resolved, we did get the script right and did zero in on the access issue I guess I was just not very clear on username format :(
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question