G
Guest
Hi, I've a problem: I have to import a Security Certificate in 200+ clients
(I cannot use GPO). Can I use a script to do it? Thanks.
(I cannot use GPO). Can I use a script to do it? Thanks.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
T
Tom Che [MSFT]
Hi,
Thanks for posting here.
I just heard about your posting alias was not correctly recognized as a
TechNet subscriber. Sorry for any inconvenience, but please rest assured
that my colleagues are working on this problem and you will get a
satisfying answer as soon as possible.
At present, let's focus on your technical concern here.
From your post, my understanding of this issue is: you would like to know
how to import a Security Certificate in 200+ clients via script. If this
is not correct, please feel free to let me know.
Based on my research, if the 200+ clients use the same certificate, we can
use the CERTUTIL tool to import the certificate. You can find the newest
version of this tool from Windows Server 2003 SP1 system, or you may
download and install the Windows Server 2003 Service Pack 1 Administration
Tools Pack from the following link:
<http://www.microsoft.com/downloads/details.aspx?familyid=E487F885-F0C7-436A
-A392-25793A25BAD7&displaylang=en#instructions>
To import a certificate into the database
==================
Syntax
--------------
certutil -importcert [-f ] [-gmt ] [-seconds ] [-v ] [-config
CAMachineName\CAName] CertFile
Parameters
--------------
-importcert Imports a certificate file into the database.
-f Overwrites existing files or keys.
-gmt Displays time as Greenwich mean time.
-seconds Displays time with seconds and milliseconds.
-v Specifies verbose output.
-config CAMachineName\CAName Processes the operation by using the CA
specified in the configuration string (that is, CAMachineName\CAName).
CertFile Specifies the certificate to import.
-? Displays a list of certutil commands.
Remarks
--------------
- You must specify the CAComputerName or CAName in -config
CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog
box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the
operation is processed using the default CA.
- You can use this command-line option to make a certificate revocable if
it is inadvertently lost from the database, which could be due to restoring
a database from an incomplete backup of the database. Note that the server
must have issued the certificate.
For more information about CERTUTIL, please see:
Certutil tasks for managing certificates
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a3d5dbb9-1bf6-42da-a13b-2b220b11b6fe.mspx>
However, since the certificate may be issued to computer account/user
account, in most cases, we need to import different certificate on
different computer/user session. If each user/computer has its own
certificate, it is a more complicated issue and we need to tell which
certificate to be imported to which user/computer. This will be a
Development related request and would best be addressed in the Developer
newsgroups. I have provided the link below:
<http://msdn.microsoft.com/newsgroups/default.asp>
Or you may ask for developer support:
<http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn>
Hope this helps.
Have a nice day!
Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thanks for posting here.
I just heard about your posting alias was not correctly recognized as a
TechNet subscriber. Sorry for any inconvenience, but please rest assured
that my colleagues are working on this problem and you will get a
satisfying answer as soon as possible.
At present, let's focus on your technical concern here.
From your post, my understanding of this issue is: you would like to know
how to import a Security Certificate in 200+ clients via script. If this
is not correct, please feel free to let me know.
Based on my research, if the 200+ clients use the same certificate, we can
use the CERTUTIL tool to import the certificate. You can find the newest
version of this tool from Windows Server 2003 SP1 system, or you may
download and install the Windows Server 2003 Service Pack 1 Administration
Tools Pack from the following link:
<http://www.microsoft.com/downloads/details.aspx?familyid=E487F885-F0C7-436A
-A392-25793A25BAD7&displaylang=en#instructions>
To import a certificate into the database
==================
Syntax
--------------
certutil -importcert [-f ] [-gmt ] [-seconds ] [-v ] [-config
CAMachineName\CAName] CertFile
Parameters
--------------
-importcert Imports a certificate file into the database.
-f Overwrites existing files or keys.
-gmt Displays time as Greenwich mean time.
-seconds Displays time with seconds and milliseconds.
-v Specifies verbose output.
-config CAMachineName\CAName Processes the operation by using the CA
specified in the configuration string (that is, CAMachineName\CAName).
CertFile Specifies the certificate to import.
-? Displays a list of certutil commands.
Remarks
--------------
- You must specify the CAComputerName or CAName in -config
CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog
box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the
operation is processed using the default CA.
- You can use this command-line option to make a certificate revocable if
it is inadvertently lost from the database, which could be due to restoring
a database from an incomplete backup of the database. Note that the server
must have issued the certificate.
For more information about CERTUTIL, please see:
Certutil tasks for managing certificates
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a3d5dbb9-1bf6-42da-a13b-2b220b11b6fe.mspx>
However, since the certificate may be issued to computer account/user
account, in most cases, we need to import different certificate on
different computer/user session. If each user/computer has its own
certificate, it is a more complicated issue and we need to tell which
certificate to be imported to which user/computer. This will be a
Development related request and would best be addressed in the Developer
newsgroups. I have provided the link below:
<http://msdn.microsoft.com/newsgroups/default.asp>
Or you may ask for developer support:
<http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn>
Hope this helps.
Have a nice day!
Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
G
Guest
Hi,
thanks for your answer, but I have a problem during the execution of the
CERTUTIL
tool: the syntax that I used is: "certutil -v -importcert
c:\FileName.Extension" (I've tried with '.cer' and '.p7b' file, that I
exported from IE6), the error is: "CertUtil: The system cannot find the file
specified.". So, in your opinion, what is my problem?
Thanks again.
thanks for your answer, but I have a problem during the execution of the
CERTUTIL
tool: the syntax that I used is: "certutil -v -importcert
c:\FileName.Extension" (I've tried with '.cer' and '.p7b' file, that I
exported from IE6), the error is: "CertUtil: The system cannot find the file
specified.". So, in your opinion, what is my problem?
Thanks again.
R
Robert Aldwinckle
Kangurotto said:Hi,
thanks for your answer, but I have a problem during the execution of the
CERTUTIL
tool: the syntax that I used is: "certutil -v -importcert
c:\FileName.Extension" (I've tried with '.cer' and '.p7b' file, that I
exported from IE6), the error is: "CertUtil: The system cannot find the file
specified.". So, in your opinion, what is my problem?
Thanks again.
Supposedly it creates or adds to a file called certutil.log
Try finding that file and looking in it for clues?
Have you tried adding a -config parameter too?
The syntax indicates that that parameter is optional
but the description tends to indicate otherwise.
E.g. otherwise why have that bizarre syntax -config -
to indicate "default CA"?
BTW this seems off-topic for this newsgroup.
I suspect you could get more informed help in a newsgroup
which specializes in security for your server OS.
Good luck
Robert Aldwinckle
---
G
Guest
Like last answer (by Robert Aldwinckle) I have posted question about
'CERTUTIL tool' command line in Windows2003 discussion group
(windows.server.general). Thanks.
'CERTUTIL tool' command line in Windows2003 discussion group
(windows.server.general). Thanks.
T
Tom Che [MSFT]
Hi,
Thanks for your reply.
I noticed that you have opened a new post in other newsgroup. So, I just
provide some information based on my further research here:
The -importcert switch seems to be not the best one for your needs, and you
may try the following method which I have tested on my own side and
everything works fine:
certutil-addstore [-f ] [-enterprise ] [-user ] [-gmt ] [-seconds ] [-v ]
[-dc DCName] CertificateStoreName InFile
Parameters
-addstore Adds a certificate to a certificate store.
-f Overwrites existing files or keys.
-enterprise Uses the local computer Enterprise registry certificate store.
-user Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt Displays time as Greenwich mean time.
-seconds Displays time with seconds and milliseconds.
-v Specifies verbose output.
-dc DCName Targets a specific domain controller.
CertificateStoreName Specifies one of the following store names:
ca Specifies certificates in the Intermediate Certification Authorities
store.
my Specifies certificates issued to the current user.
root Specifies certificates in the Trusted Root Certification
Authorities store.
spc Specifies software publisher certificates.
UserCreatedStore Specifies the name of a user-created certificate store.
InFile Specifies the file name of the certificate or certificate
revocation list (CRL).
For example, you may use the following command to install an example.cer to
the Intermediate Certification Authorities store:
certutil -addstore ca c:\example.cer
Hope this helps.
Have a nice day!
Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thanks for your reply.
I noticed that you have opened a new post in other newsgroup. So, I just
provide some information based on my further research here:
The -importcert switch seems to be not the best one for your needs, and you
may try the following method which I have tested on my own side and
everything works fine:
certutil-addstore [-f ] [-enterprise ] [-user ] [-gmt ] [-seconds ] [-v ]
[-dc DCName] CertificateStoreName InFile
Parameters
-addstore Adds a certificate to a certificate store.
-f Overwrites existing files or keys.
-enterprise Uses the local computer Enterprise registry certificate store.
-user Uses the HKEY_CURRENT_USER keys or certificate store.
-gmt Displays time as Greenwich mean time.
-seconds Displays time with seconds and milliseconds.
-v Specifies verbose output.
-dc DCName Targets a specific domain controller.
CertificateStoreName Specifies one of the following store names:
ca Specifies certificates in the Intermediate Certification Authorities
store.
my Specifies certificates issued to the current user.
root Specifies certificates in the Trusted Root Certification
Authorities store.
spc Specifies software publisher certificates.
UserCreatedStore Specifies the name of a user-created certificate store.
InFile Specifies the file name of the certificate or certificate
revocation list (CRL).
For example, you may use the following command to install an example.cer to
the Intermediate Certification Authorities store:
certutil -addstore ca c:\example.cer
Hope this helps.
Have a nice day!
Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<[email protected]>Thread-Topic: Import Sec Certificate using script
thread-index: AcXjcYTP2ncS+pjAREW75SYWnwUBEQ==
X-WBNR-Posting-Host: 151.92.176.3
From: "=?Utf-8?B?S2FuZ3Vyb3R0bw==?=" <[email protected]>
References: <[email protected]>
Subject: Re: Import Sec Certificate using script
Date: Mon, 7 Nov 2005 00:01:54 -0800
Lines: 40
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.inetexplorer.ie6.browser
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.inetexplorer.ie6.browser:107979
X-Tomcat-NG: microsoft.public.windows.inetexplorer.ie6.browser
Like last answer (by Robert Aldwinckle) I have posted question about
'CERTUTIL tool' command line in Windows2003 discussion group
(windows.server.general). Thanks.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.