Kaseya Community

Install a CERtificate to the Trusted store thru a script?

  • Does anybody know of a way to install a certificate into the Trusted Root Certificate store using a command line?

    I found that the Windows Certificate Import Wizard uses rundll32.exe cryptext.dll CryptExtAddCER %1 (where %1 is filename of cert.) to add a certificate, but with user interaction required.

    I'd like to be able to push out a certificate for CACert.org - which I use for free SSL certificates (e.g. my KServer).

    I know there is also a MS utility CertMgr.exe, but I have not figured out that puppy yet...

    TIA,
    -Mike

    Legacy Forum Name: Install a CERtificate to the Trusted store thru a script?,
    Legacy Posted By Username: ReedMikel
  • I have a script that puts our cert in the Trusted Root Certification Authorities. The command shell part of it is:

    c:\temp\certutil.exe -addstore root c:\temp\entrust.cer

    Here's the full script for you use:

    Script Name: Add Certificate
    Script Description: This script adds the certificate an https web site to the Trusted Root Certification Authorities certificate store on Windows XP, 2000 Pro, 2000 and 2003 Server computers.

    IF True
    THEN
    Write File
    Parameter 1 : c:\temp\certadm.dll
    Parameter 2 : VSASharedFiles\certadm.dll
    OS Type : 0
    Write File
    Parameter 1 : c:\temp\certcli.dll
    Parameter 2 : VSASharedFiles\certcli.dll
    OS Type : 0
    Write File
    Parameter 1 : c:\temp\certutil.exe
    Parameter 2 : VSASharedFiles\certutil.exe
    OS Type : 0
    Write File
    Parameter 1 : c:\temp\cert.cer
    Parameter 2 : VSASharedFiles\entrust.cer
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\temp\certutil.exe -addstore root c:\temp\entrust.cer
    Parameter 2 : 0
    OS Type : 0
    ELSE

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: boudj
  • BTW - We just pulled the certcli.dll & certutil.exe from an xp system.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: boudj
  • Many thanks Boudj!

    Not sure how familiar you are with certificates, but I am fuzzy about them. I installed CACert.org's Class 3 Root into the Trusted Root Certifications Authority - and see it listed in IE6. But in IE6 when I go to my KServer's site, it still tells me "the security certificate was issued by a company you have not chosen to trust...". At this point I don't know if it's complaining about the root CACert Class 3 cert, or my server's own cert. So I modified your script and added another certutil.exe -addstore TrustedPublisher But it still wants me to manually approve...

    Is there a way to avoid this, or does the user have to manually approve/trust one time in IE?

    As you can tell, I know nothing about certificates Smile

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • I'm not sure (fuzzy on certs myself)... however after running the above script we were not asked to approve the cert at the workstation level (did not test this on Vista machines).

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: boudj
  • I must not be crossing all my Ts and dotting all my Is Smile

    I know CACert.org is not distributed as a trusted root with browsers like IE and FireFox. But I thought that adding their root cert using the certutil would take care of that issue. Then again, maybe it's complaining about my own server's cert. I actually detest working with cert stuff, it's so seldom needed - but there are times when you do need em Smile

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • It should... I used this same script with a self signed cert (until I bought an etrust one) and it seemed to take care of everything.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: boudj
  • I found an article on their site that says you have to import their Class 1 root certificate and the Class 3 intermediate certificate.

    http://wiki.cacert.org/wiki/BrowserClients#ImportintoMicrosoftWindowsformultipleusers

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: dkendall
  • Thanks for that link.
    But it just leaves me more confused than ever Smile No wonder I despise working with certificates...

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • FYI, if you're still curious about the certmgr utility, I usually write the certmgr.exe and cert to the local PC and run a shell command using the following format to install it to the trusted root certicates:
    certmgr.exe /add /c "Path to certificate\name of cert.crt" /s /r localmachine root

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: neteffect
  • Thanks NetEffect! I imagine I would have to do this for both the CACert.org root cert as well as the cert for my KServer? Most of my clients use FireFox for their browser, which I think makes it near impossible to totally automate. For some reason I think FireFox will require a mouse click or two...

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • Haven't tried to install security certs for Firefox too much. Looks like the cert info is stored in a cert_override.txt under the "user's profile"\application data\Mozilla\Firefox\Profiles\"profile name"
    If you can figure out how to pipe the info into the txt file, should work fine. I tested it a little bit but had an issue with the spacing and format.
    Of course this is on XP Pro with Firefox 3.0.4.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: neteffect