Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

import a pfx cert to remote PC's

Posted on 2014-03-26
27
Medium Priority
?
2,876 Views
Last Modified: 2014-04-01
import a pfx cert to remote PC's. must be in Certification > Personal folder
0
Comment
Question by:NxJNY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 13
27 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39956732
If you have Powershell 4 or win8 etc you can use import-pfxcertificate:

http://technet.microsoft.com/en-us/library/hh848625.aspx

Otherwise certutil would be your best option.

When you say personal above, do you mean the current user certificate store  ?
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39956800
thanks  becraig. here is my situation. i need to install a Cert so that users can authenticate through Radius, so i created a GP to push the cert out however the location of the cert when pushed out through GP goes to Trusted Root and i need it to go to Personal > Certificates
0
 
LVL 29

Expert Comment

by:becraig
ID: 39956805
ok so this sounds like you can simply use certutil since you are going to be saving to the local machine store.


gc serverlist.txt | % {invoke-command -computername $_ -scriptblock 
{
certutil -f -p pfxpassword-importpfx \\server\c$\path-to\pfx.pfx
}
}

Open in new window


something like the simple powershell script above should work.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 56

Expert Comment

by:McKnife
ID: 39958246
Hi.

on a domain? Then use GPO cert distribution.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39958889
i used GPO however the Cert goes into trusted Root and i need it to go into Personal > Certificates
0
 
LVL 29

Expert Comment

by:becraig
ID: 39958908
Did my script not work ?

Or do you need to do this viap GPO ?
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39958923
i am new at scripting. the script you sent i am trying to figure out how to run it. is it a bat script?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39958961
It is a powershell script.

Your options are:
1. You can run the script as a powershell script against your server list
2. You can run as bat I will provide a bat version below
3. You can follow the steps at this link below to setup a scheduled task to do this on each computer:
http://www.jasonpearce.com/blog/2012/02/02/import-pfx-certificate-via-group-policy-preferences/

Bat script:
**Assumes you have psexec and access to each computer.

You can run at command line:
for /f %a in (serverlist.txt) do psexec \\%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window


Or save as .bat:
for /f %%a in (serverlist.txt) do psexec \\%%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959039
what am i doing wrong with the bat script


@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959184
Hmm do you get an error of any sort ?

It seems to work for me.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959200
after i ran it the cert do not show up on the remote laptop. i ran the script exactly as it shows. if i do it from command prompt i get     %%a was unexpected at this time.

@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959262
Does the laptop have access to \\mypc3\cert\nxj-wireless.pfx if not the certutil command might fail

you can add a copy to your bat file:

@ECHO OFF
copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\
for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

del c:\temp\nxj-wireless.pfx
END 

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959290
in which location do i  place the file "laptoplist.txt" .
0
 
LVL 29

Accepted Solution

by:
becraig earned 2000 total points
ID: 39959319
Sorry I rushed my response, multitasking.

Save the text file any directory you can simply point to it:


@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959362
please ignore my last comment
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959392
it never ends... i now get a access denied error even though i am a domain admin

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on mylaptop5 with error code -2147024891.
Press any key to continue . . .
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959449
This is an access denied error on the laptop you are trying to run the cert update on.

psexec is running as system user if your credentials would be valid for certificate install you can change to psexec -u username -p password

also to end the batch file
Change END to :END
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959973
i am still getting the error


@ECHO OFF

copy \\mypc3\cert\nxjwireless.pfx \\%%a\C%\temp\
for /f %%a in (\\mypc3\cert\laptoplist.txt) do psexec -u admin -p adminpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxjwireless.pfx

del c:\temp\nxjwireless.pfx

:END

this is the result

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on 192.168.110.190 with error code -2147024891.
Could Not Find c:\temp\nxjwireless.pfx
Press any key to continue . . .


:END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39960002
As it says Access is denied do you have access to the target computer i.e. can the account you are running this under perform certificate installs on the target laptop ?


Are these laptops domain members ?
If so does your account have the required permissions ?

If the above two assumptions are correct, simply update the bat file as below

@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u yourusername -p yourpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END

Open in new window

                                           

Please be sure to add your username and password before running, if your account does have permissions .
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39960275
thanks for all your help becraig.... i now have more success. the script is running without errors however i don't see the cert in the Personal > Certifications folder after the script has ran...
0
 
LVL 29

Expert Comment

by:becraig
ID: 39960293
on the target computer, simply run mmc.exe - add remove snapin - certificates - computer account - local computer - Personal- certificates.


Once the password was correct etc you should see the certificate there, if it is already open just refresh.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39966475
i thank you for your time becraig, i was out on Friday. i think i will give up on the cert script. the issue i am seeing is it's not getting install under the Personal > Certificate. if i run the script and remove the last part "del c:\temp\nxj-wireless.pfx" i see the certificate gets placed in the temp folder so i know the script is working that far however it does not place the cert in the Personal > Certificate.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39966501
You final solution for this would be just as simple.
You can simply add a batch file to check for the existence of the cert on the laptop and install if missing.

This can be run from a logon script that fetches the pfx and pfx password from a central server at the time of each user logon.

That might be the best approach since you seem to have permission issues on the client machines.


Also try running this from the command line against the laptop the pfx is present on right now:

psexec  -u yourusername -p yourpassword \\laptopname cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

Paste the output from that command here.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39966556
looks like you are correct i don't have permission

C:\Users\NxJ>psexec  -u NxJ -p domainpass \\mylaptop6 cmd /c certutil -f
 -p newcertpass-importpfx c:\temp\nxj-wireless.pfx

PsExec v2.1 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start cmd on mylaptop6:
The user name or password is incorrect.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39966575
If you want we can just simply write a quickly batch file you can place on all clients to run at startup.

This can check a network resource for the pfx file and the password then install locally under that user's context.

It will work just as well and you can decide who has access to the share so the pfx and the password are still protected.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39967745
ok so i made a small mistake that cost me. i forgot because i am an administrator i needed to place the domain in front of my username.
this is the working script

@ECHO OFF

for /f  %%a in (\\myserver\my.Share\cert\laptoplist.txt) do copy \\myserver\my.Share\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u mydomain\myusername -p mypassword \\%%a cmd /c certutil -f -p certpassword -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39967762
Good this is now resolved, we did get the script right and did zero in on the access issue I guess I was just not very clear on username format :(
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question