Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

import a pfx cert to remote PC's

Posted on 2014-03-26
27
Medium Priority
?
2,940 Views
Last Modified: 2014-04-01
import a pfx cert to remote PC's. must be in Certification > Personal folder
0
Comment
Question by:NxJNY
  • 13
  • 13
27 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39956732
If you have Powershell 4 or win8 etc you can use import-pfxcertificate:

http://technet.microsoft.com/en-us/library/hh848625.aspx

Otherwise certutil would be your best option.

When you say personal above, do you mean the current user certificate store  ?
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39956800
thanks  becraig. here is my situation. i need to install a Cert so that users can authenticate through Radius, so i created a GP to push the cert out however the location of the cert when pushed out through GP goes to Trusted Root and i need it to go to Personal > Certificates
0
 
LVL 29

Expert Comment

by:becraig
ID: 39956805
ok so this sounds like you can simply use certutil since you are going to be saving to the local machine store.


gc serverlist.txt | % {invoke-command -computername $_ -scriptblock 
{
certutil -f -p pfxpassword-importpfx \\server\c$\path-to\pfx.pfx
}
}

Open in new window


something like the simple powershell script above should work.
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 57

Expert Comment

by:McKnife
ID: 39958246
Hi.

on a domain? Then use GPO cert distribution.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39958889
i used GPO however the Cert goes into trusted Root and i need it to go into Personal > Certificates
0
 
LVL 29

Expert Comment

by:becraig
ID: 39958908
Did my script not work ?

Or do you need to do this viap GPO ?
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39958923
i am new at scripting. the script you sent i am trying to figure out how to run it. is it a bat script?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39958961
It is a powershell script.

Your options are:
1. You can run the script as a powershell script against your server list
2. You can run as bat I will provide a bat version below
3. You can follow the steps at this link below to setup a scheduled task to do this on each computer:
http://www.jasonpearce.com/blog/2012/02/02/import-pfx-certificate-via-group-policy-preferences/

Bat script:
**Assumes you have psexec and access to each computer.

You can run at command line:
for /f %a in (serverlist.txt) do psexec \\%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window


Or save as .bat:
for /f %%a in (serverlist.txt) do psexec \\%%a cmd /c certutil -f -p pfxpassword -importpfx \\server\c$\path-to\pfx.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959039
what am i doing wrong with the bat script


@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959184
Hmm do you get an error of any sort ?

It seems to work for me.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959200
after i ran it the cert do not show up on the remote laptop. i ran the script exactly as it shows. if i do it from command prompt i get     %%a was unexpected at this time.

@ECHO OFF

for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxj-wireless.pfx

END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959262
Does the laptop have access to \\mypc3\cert\nxj-wireless.pfx if not the certutil command might fail

you can add a copy to your bat file:

@ECHO OFF
copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\
for /f  %%a in (laptoplist.txt) do psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

del c:\temp\nxj-wireless.pfx
END 

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959290
in which location do i  place the file "laptoplist.txt" .
0
 
LVL 29

Accepted Solution

by:
becraig earned 2000 total points
ID: 39959319
Sorry I rushed my response, multitasking.

Save the text file any directory you can simply point to it:


@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx

Open in new window

0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959362
please ignore my last comment
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959392
it never ends... i now get a access denied error even though i am a domain admin

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on mylaptop5 with error code -2147024891.
Press any key to continue . . .
0
 
LVL 29

Expert Comment

by:becraig
ID: 39959449
This is an access denied error on the laptop you are trying to run the cert update on.

psexec is running as system user if your credentials would be valid for certificate install you can change to psexec -u username -p password

also to end the batch file
Change END to :END
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39959973
i am still getting the error


@ECHO OFF

copy \\mypc3\cert\nxjwireless.pfx \\%%a\C%\temp\
for /f %%a in (\\mypc3\cert\laptoplist.txt) do psexec -u admin -p adminpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx \\mypc3\cert\nxjwireless.pfx

del c:\temp\nxjwireless.pfx

:END

this is the result

CertUtil: -importPFX command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
cmd exited on 192.168.110.190 with error code -2147024891.
Could Not Find c:\temp\nxjwireless.pfx
Press any key to continue . . .


:END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39960002
As it says Access is denied do you have access to the target computer i.e. can the account you are running this under perform certificate installs on the target laptop ?


Are these laptops domain members ?
If so does your account have the required permissions ?

If the above two assumptions are correct, simply update the bat file as below

@ECHO OFF

for /f  %%a in (c:\pathto\laptoplist.txt) do copy \\mypc3\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u yourusername -p yourpassword \\%%a cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END

Open in new window

                                           

Please be sure to add your username and password before running, if your account does have permissions .
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39960275
thanks for all your help becraig.... i now have more success. the script is running without errors however i don't see the cert in the Personal > Certifications folder after the script has ran...
0
 
LVL 29

Expert Comment

by:becraig
ID: 39960293
on the target computer, simply run mmc.exe - add remove snapin - certificates - computer account - local computer - Personal- certificates.


Once the password was correct etc you should see the certificate there, if it is already open just refresh.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39966475
i thank you for your time becraig, i was out on Friday. i think i will give up on the cert script. the issue i am seeing is it's not getting install under the Personal > Certificate. if i run the script and remove the last part "del c:\temp\nxj-wireless.pfx" i see the certificate gets placed in the temp folder so i know the script is working that far however it does not place the cert in the Personal > Certificate.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39966501
You final solution for this would be just as simple.
You can simply add a batch file to check for the existence of the cert on the laptop and install if missing.

This can be run from a logon script that fetches the pfx and pfx password from a central server at the time of each user logon.

That might be the best approach since you seem to have permission issues on the client machines.


Also try running this from the command line against the laptop the pfx is present on right now:

psexec  -u yourusername -p yourpassword \\laptopname cmd /c certutil -f -p newcertpass -importpfx c:\temp\nxj-wireless.pfx

Paste the output from that command here.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39966556
looks like you are correct i don't have permission

C:\Users\NxJ>psexec  -u NxJ -p domainpass \\mylaptop6 cmd /c certutil -f
 -p newcertpass-importpfx c:\temp\nxj-wireless.pfx

PsExec v2.1 - Execute processes remotely
Copyright (C) 2001-2013 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start cmd on mylaptop6:
The user name or password is incorrect.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39966575
If you want we can just simply write a quickly batch file you can place on all clients to run at startup.

This can check a network resource for the pfx file and the password then install locally under that user's context.

It will work just as well and you can decide who has access to the share so the pfx and the password are still protected.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 39967745
ok so i made a small mistake that cost me. i forgot because i am an administrator i needed to place the domain in front of my username.
this is the working script

@ECHO OFF

for /f  %%a in (\\myserver\my.Share\cert\laptoplist.txt) do copy \\myserver\my.Share\cert\nxj-wireless.pfx \\%%a\C$\temp\ & psexec  -u mydomain\myusername -p mypassword \\%%a cmd /c certutil -f -p certpassword -importpfx c:\temp\nxj-wireless.pfx & del c:\temp\nxj-wireless.pfx
:END
0
 
LVL 29

Expert Comment

by:becraig
ID: 39967762
Good this is now resolved, we did get the script right and did zero in on the access issue I guess I was just not very clear on username format :(
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question