importing .pfx certificate into a different users store
-
Tuesday, January 22, 2013 3:26 PMHello all,
I have an install script to be used on Win7 machines that uses certutil to import a pfx file. The script is run when logged in as admin but the certificate is used when logged in as a standard user account. When I make the call it seems to install the certificate in the "Trusted Root Certification Authorities" of both users. I need to also install a pfx. into the Personal store of the standard user account. Is there a way to do this with certutil in a script that runs while logged in as the admin account?
certutil –f –p %PFXPASSWORD% –importpfx MyCert.pfx
All Replies
-
Tuesday, January 22, 2013 4:41 PMModerator
Let me rephrase to make sure I understand the question: You want to import a certificate stored in a pfx file to another user's Personal store, while not logged on as that user, using certutil. Is that correct?
Bill
-
Tuesday, January 22, 2013 5:37 PM
Exactly.Let me rephrase to make sure I understand the question: You want to import a certificate stored in a pfx file to another user's Personal store, while not logged on as that user, using certutil. Is that correct?
Bill
-
Tuesday, January 22, 2013 7:32 PMModerator
I doubt you can do it, as I don't see any options for the certutil command that would let you do what you're asking.
As an aside, usually this sort of thing is handled in a domain by setting up a certificate authority and automatically issuing the needed certificates.
Bill
- Proposed As Answer by Bill_StewartMicrosoft Community Contributor, Moderator Thursday, January 31, 2013 4:12 PM
-
Monday, January 28, 2013 3:16 PM
Well I can just automate the install to login as the standard user and run the command to install cert as that user but what I noticed that when I run the command above as the user that I want to install for (standard user), I get an "access denied" error from certutil. How do I give that user the right to even install the certificate?I doubt you can do it, as I don't see any options for the certutil command that would let you do what you're asking.
As an aside, usually this sort of thing is handled in a domain by setting up a certificate authority and automatically issuing the needed certificates.
Bill
-
Monday, January 28, 2013 3:29 PMModerator
Hi,
I don't know the answer to this specific question, but I also don't think it's a question for a scripting forum.
Bill
-
Monday, January 28, 2013 3:45 PM
Think About what you are asking. If we could our own certs into another users store then where would the security be.
You need to post in the security or OS forums. You cannot force a cert into a store. The user account must install the cert explicitly. In some cases we can provide user certs through AD. Post in OS or Directory Services for a complete discussion of how to do this.
¯\_(ツ)_/¯
-
Thursday, February 14, 2013 11:48 AMModerator
As noted in this thread, you can't do quite what you want - i.e. to move a cert from one user's store to another.
Why not set up auto-enrollment for the cert? One place to look for more details: http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm
Thomas Lee <DoctorDNS@Gmail.Com>
-
Thursday, February 14, 2013 1:44 PM
Think About what you are asking. If we could our own certs into another users store then where would the security be.
You need to post in the security or OS forums. You cannot force a cert into a store. The user account must install the cert explicitly. In some cases we can provide user certs through AD. Post in OS or Directory Services for a complete discussion of how to do this.
¯\_(ツ)_/¯
Makes sense. No big deal, I was just wondering (I'm not too well versed in how certs work, I'm more into scripting). Basically as a solution I just add a few steps to the script to reboot and automatically login as the standard user (but beforehand making that user an admin temporarily) and then install the cert while logged in as that user. After completing remove the standard user from the admin group.
Thanks to everyone for the help!
.png)
