Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3009
  • Last Modified:

import a pfx cert to remote PC's

import a pfx cert to remote PC's. must be in Certification > Personal folder
0
NxJNY
Asked:
NxJNY
  • 13
  • 13
1 Solution
 
becraigCommented:
If you have Powershell 4 or win8 etc you can use import-pfxcertificate:

http://technet.microsoft.com/en-us/library/hh848625.aspx

Otherwise certutil would be your best option.

When you say personal above, do you mean the current user certificate store  ?
0
 
NxJNYAuthor Commented:
thanks  becraig. here is my situation. i need to install a Cert so that users can authenticate through Radius, so i created a GP to push the cert out however the location of the cert when pushed out through GP goes to Trusted Root and i need it to go to Personal > Certificates
0
 
becraigCommented:
ok so this sounds like you can simply use certutil since you are going to be saving to the local machine store.


gc serverlist.txt | % {invoke-command -computername $_ -scriptblock 
{
certutil -f -p pfxpassword-importpfx \\server\c$\path-to\pfx.pfx
}
}

Open in new window


something like the simple powershell script above should work.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
McKnifeCommented:
Hi.

on a domain? Then use GPO cert distribution.
0
 
NxJNYAuthor Commented:
i used GPO however the Cert goes into trusted Root and i need it to go into Personal > Certificates
0
 
becraigCommented:
Did my script not work ?

Or do you need to do this viap GPO ?
0
 
NxJNYAuthor Commented:
i am new at scripting. the script you sent i am trying to figure out how to run it. is it a bat script?
0
 
becraigCommented:
It is a powershell script.

Your options are:
1. You can run the script as a powershell script against your server list
2. You can run as bat I will provide a bat version below
3. You can follow the steps at this link below to setup a scheduled task to do this on each computer:
http://www.jasonpearce.com/blog/2012/02/02/import-pfx-certificate-via-group-policy-preferences/

Bat script:
**Assumes you have psexec and access to each computer.

You can run at command line:
for /f %a in (serverlist.txt) do psexec \\%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window


Or save as .bat:
for /f %%a in (serverlist.txt) do psexec \\%%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window

0
 
NxJNYAuthor Commented:
what am i doing wrong with the bat script


@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
becraigCommented:
Hmm do you get an error of any sort ?

It seems to work for me.
0
 
NxJNYAuthor Commented:
after i ran it the cert do not show up on the remote laptop. i ran the script exactly as it shows. if i do it from command prompt i get     %%a was unexpected at this time.

@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
becraigCommented:
Does the laptop have access to \\mypc3\cert\nxj-wireless.pfx if not the certutil command might fail

you can add a copy to your bat file:

@ECHO OFF
copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\
for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

del c:\temp\nxj-wireless.pfx
END 

Open in new window

0
 
NxJNYAuthor Commented:
in which location do i  place the file "laptoplist.txt" .
0
 
becraigCommented:
Sorry I rushed my response, multitasking.

Save the text file any directory you can simply point to it:


@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx

Open in new window

0
 
NxJNYAuthor Commented:
please ignore my last comment
0
 
NxJNYAuthor Commented:
it never ends... i now get a access denied error even though i am a domain admin

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on mylaptop5 with error code -2147024891.
Press any key to continue . . .
0
 
becraigCommented:
This is an access denied error on the laptop you are trying to run the cert update on.

psexec is running as system user if your credentials would be valid for certificate install you can change to psexec -u username -p password

also to end the batch file
Change END to :END
0
 
NxJNYAuthor Commented:
i am still getting the error


@ECHO OFF

copy \\mypc3\cert\nxjwireless.pfx \\%%a\C%\temp\
for /f %%a in (\\mypc3\cert\laptoplist.txt) do psexec -u admin -p adminpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxjwireless.pfx

del c:\temp\nxjwireless.pfx

:END

this is the result

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on 192.168.110.190 with error code -2147024891.
Could Not Find c:\temp\nxjwireless.pfx
Press any key to continue . . .


:END
0
 
becraigCommented:
As it says Access is denied do you have access to the target computer i.e. can the account you are running this under perform certificate installs on the target laptop ?


Are these laptops domain members ?
If so does your account have the required permissions ?

If the above two assumptions are correct, simply update the bat file as below

@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u yourusername -p yourpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END

Open in new window

                                           

Please be sure to add your username and password before running, if your account does have permissions .
0
 
NxJNYAuthor Commented:
thanks for all your help becraig.... i now have more success. the script is running without errors however i don't see the cert in the Personal > Certifications folder after the script has ran...
0
 
becraigCommented:
on the target computer, simply run mmc.exe - add remove snapin - certificates - computer account - local computer - Personal- certificates.


Once the password was correct etc you should see the certificate there, if it is already open just refresh.
0
 
NxJNYAuthor Commented:
i thank you for your time becraig, i was out on Friday. i think i will give up on the cert script. the issue i am seeing is it's not getting install under the Personal > Certificate. if i run the script and remove the last part "del c:\temp\nxj-wireless.pfx" i see the certificate gets placed in the temp folder so i know the script is working that far however it does not place the cert in the Personal > Certificate.
0
 
becraigCommented:
You final solution for this would be just as simple.
You can simply add a batch file to check for the existence of the cert on the laptop and install if missing.

This can be run from a logon script that fetches the pfx and pfx password from a central server at the time of each user logon.

That might be the best approach since you seem to have permission issues on the client machines.


Also try running this from the command line against the laptop the pfx is present on right now:

psexec  -u yourusername -p yourpassword \\laptopname cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

Paste the output from that command here.
0
 
NxJNYAuthor Commented:
looks like you are correct i don't have permission

C:\Users\NxJ>psexec  -u NxJ -p domainpass \\mylaptop6 cmd /c certutil -f
 -p newcertpass-importpfx c:\temp\nxj-wireless.pfx

PsExec v2.1 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start cmd on mylaptop6:
The user name or password is incorrect.
0
 
becraigCommented:
If you want we can just simply write a quickly batch file you can place on all clients to run at startup.

This can check a network resource for the pfx file and the password then install locally under that user's context.

It will work just as well and you can decide who has access to the share so the pfx and the password are still protected.
0
 
NxJNYAuthor Commented:
ok so i made a small mistake that cost me. i forgot because i am an administrator i needed to place the domain in front of my username.
this is the working script

@ECHO OFF

for /f  %%a in (\\myserver\my.Share\cert\laptoplist.txt) do copy \\myserver\my.Share\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u mydomain\myusername -p mypassword \\%%a cmd /c certutil -f -p certpassword -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END
0
 
becraigCommented:
Good this is now resolved, we did get the script right and did zero in on the access issue I guess I was just not very clear on username format :(
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now