Solved

import a pfx cert to remote PC's

Posted on 2014-03-26
27
2,429 Views
Last Modified: 2014-04-01
import a pfx cert to remote PC's. must be in Certification > Personal folder
0
Comment
Question by:NxJNY
  • 13
  • 13
27 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
If you have Powershell 4 or win8 etc you can use import-pfxcertificate:

http://technet.microsoft.com/en-us/library/hh848625.aspx

Otherwise certutil would be your best option.

When you say personal above, do you mean the current user certificate store  ?
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
thanks  becraig. here is my situation. i need to install a Cert so that users can authenticate through Radius, so i created a GP to push the cert out however the location of the cert when pushed out through GP goes to Trusted Root and i need it to go to Personal > Certificates
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
ok so this sounds like you can simply use certutil since you are going to be saving to the local machine store.


gc serverlist.txt | % {invoke-command -computername $_ -scriptblock 
{
certutil -f -p pfxpassword-importpfx \\server\c$\path-to\pfx.pfx
}
}

Open in new window


something like the simple powershell script above should work.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi.

on a domain? Then use GPO cert distribution.
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
i used GPO however the Cert goes into trusted Root and i need it to go into Personal > Certificates
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Did my script not work ?

Or do you need to do this viap GPO ?
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
i am new at scripting. the script you sent i am trying to figure out how to run it. is it a bat script?
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
It is a powershell script.

Your options are:
1. You can run the script as a powershell script against your server list
2. You can run as bat I will provide a bat version below
3. You can follow the steps at this link below to setup a scheduled task to do this on each computer:
http://www.jasonpearce.com/blog/2012/02/02/import-pfx-certificate-via-group-policy-preferences/

Bat script:
**Assumes you have psexec and access to each computer.

You can run at command line:
for /f %a in (serverlist.txt) do psexec \\%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window


Or save as .bat:
for /f %%a in (serverlist.txt) do psexec \\%%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
what am i doing wrong with the bat script


@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Hmm do you get an error of any sort ?

It seems to work for me.
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
after i ran it the cert do not show up on the remote laptop. i ran the script exactly as it shows. if i do it from command prompt i get     %%a was unexpected at this time.

@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Does the laptop have access to \\mypc3\cert\nxj-wireless.pfx if not the certutil command might fail

you can add a copy to your bat file:

@ECHO OFF
copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\
for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

del c:\temp\nxj-wireless.pfx
END 

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
in which location do i  place the file "laptoplist.txt" .
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
Comment Utility
Sorry I rushed my response, multitasking.

Save the text file any directory you can simply point to it:


@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
please ignore my last comment
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
it never ends... i now get a access denied error even though i am a domain admin

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on mylaptop5 with error code -2147024891.
Press any key to continue . . .
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
This is an access denied error on the laptop you are trying to run the cert update on.

psexec is running as system user if your credentials would be valid for certificate install you can change to psexec -u username -p password

also to end the batch file
Change END to :END
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
i am still getting the error


@ECHO OFF

copy \\mypc3\cert\nxjwireless.pfx \\%%a\C%\temp\
for /f %%a in (\\mypc3\cert\laptoplist.txt) do psexec -u admin -p adminpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxjwireless.pfx

del c:\temp\nxjwireless.pfx

:END

this is the result

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on 192.168.110.190 with error code -2147024891.
Could Not Find c:\temp\nxjwireless.pfx
Press any key to continue . . .


:END
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
As it says Access is denied do you have access to the target computer i.e. can the account you are running this under perform certificate installs on the target laptop ?


Are these laptops domain members ?
If so does your account have the required permissions ?

If the above two assumptions are correct, simply update the bat file as below

@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u yourusername -p yourpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END

Open in new window

                                           

Please be sure to add your username and password before running, if your account does have permissions .
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
thanks for all your help becraig.... i now have more success. the script is running without errors however i don't see the cert in the Personal > Certifications folder after the script has ran...
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
on the target computer, simply run mmc.exe - add remove snapin - certificates - computer account - local computer - Personal- certificates.


Once the password was correct etc you should see the certificate there, if it is already open just refresh.
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
i thank you for your time becraig, i was out on Friday. i think i will give up on the cert script. the issue i am seeing is it's not getting install under the Personal > Certificate. if i run the script and remove the last part "del c:\temp\nxj-wireless.pfx" i see the certificate gets placed in the temp folder so i know the script is working that far however it does not place the cert in the Personal > Certificate.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
You final solution for this would be just as simple.
You can simply add a batch file to check for the existence of the cert on the laptop and install if missing.

This can be run from a logon script that fetches the pfx and pfx password from a central server at the time of each user logon.

That might be the best approach since you seem to have permission issues on the client machines.


Also try running this from the command line against the laptop the pfx is present on right now:

psexec  -u yourusername -p yourpassword \\laptopname cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

Paste the output from that command here.
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
looks like you are correct i don't have permission

C:\Users\NxJ>psexec  -u NxJ -p domainpass \\mylaptop6 cmd /c certutil -f
 -p newcertpass-importpfx c:\temp\nxj-wireless.pfx

PsExec v2.1 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start cmd on mylaptop6:
The user name or password is incorrect.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
If you want we can just simply write a quickly batch file you can place on all clients to run at startup.

This can check a network resource for the pfx file and the password then install locally under that user's context.

It will work just as well and you can decide who has access to the share so the pfx and the password are still protected.
0
 
LVL 2

Author Comment

by:NxJNY
Comment Utility
ok so i made a small mistake that cost me. i forgot because i am an administrator i needed to place the domain in front of my username.
this is the working script

@ECHO OFF

for /f  %%a in (\\myserver\my.Share\cert\laptoplist.txt) do copy \\myserver\my.Share\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u mydomain\myusername -p mypassword \\%%a cmd /c certutil -f -p certpassword -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Good this is now resolved, we did get the script right and did zero in on the access issue I guess I was just not very clear on username format :(
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now