PowerShell: How to install a PFX certificate on a remote computer in 'CurrentUser' store location?
I have tried Import-PfxCertificate with Invoke-Command but I think it requires the certificate file to be copied first on remote server. And i also think it requires the credentials to be delegated.
As per the below link the .Net classes does not support 'CurrentUser' -
http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx
"Of these two certificate store locations, only LocalMachine can be accessed remotely via the .NET class. Attempting to access CurrentUser will result in an “Access Denied” message because of security reasons."
Is there any way to accomplish this using PowerShell?
powershell certificate
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
add a comment |
I have tried Import-PfxCertificate with Invoke-Command but I think it requires the certificate file to be copied first on remote server. And i also think it requires the credentials to be delegated.
As per the below link the .Net classes does not support 'CurrentUser' -
http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx
"Of these two certificate store locations, only LocalMachine can be accessed remotely via the .NET class. Attempting to access CurrentUser will result in an “Access Denied” message because of security reasons."
Is there any way to accomplish this using PowerShell?
powershell certificate
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
add a comment |
I have tried Import-PfxCertificate with Invoke-Command but I think it requires the certificate file to be copied first on remote server. And i also think it requires the credentials to be delegated.
As per the below link the .Net classes does not support 'CurrentUser' -
http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx
"Of these two certificate store locations, only LocalMachine can be accessed remotely via the .NET class. Attempting to access CurrentUser will result in an “Access Denied” message because of security reasons."
Is there any way to accomplish this using PowerShell?
powershell certificate
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
I have tried Import-PfxCertificate with Invoke-Command but I think it requires the certificate file to be copied first on remote server. And i also think it requires the credentials to be delegated.
As per the below link the .Net classes does not support 'CurrentUser' -
http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx
"Of these two certificate store locations, only LocalMachine can be accessed remotely via the .NET class. Attempting to access CurrentUser will result in an “Access Denied” message because of security reasons."
Is there any way to accomplish this using PowerShell?
powershell certificate
powershell certificate
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
asked Oct 28 '15 at 13:28
Pravesh GuptaPravesh Gupta
2114
2114
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You could use a PSSession to step into the remote PC.
Enter-PSSession -ComputerName RemoteSystem
#...Prompt changes and commands are now executing on the remote sysem
#change the store location to the appropriate store you'd like to put the CERT
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
this would be the simplest way to do it, and any other command which must execute on a locate system.
If you need to do this in a script across a large number of systems:
$computers = #get a bunch of computers, either a txt file, csv or whatever
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
#Commands below this point will execute remotely
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
}
Done!
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
add a comment |
I had a double hop authentication problem with above solution. Below code worked well for me. Hope it helps! :)
[byte]$Pfxinbyts = Get-Content "$FullPathWithFileName.pfx" -Encoding byte
Invoke-Command -Session $session -ScriptBlock {
param(
[byte] $PFXCertInByte,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Pfx.Import([byte]$PFXCertInByte, $PfxPass, $X509Flags)
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[rn]+', ' ')"
}
$Store.Close()
} -ArgumentList $Pfxinbyts, "LocalMachine", "My", "Exportable,PersistKeySet", $PFXPassword
answered Nov 14 '18 at 18:59
FairozFairoz
1
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33392340%2fpowershell-how-to-install-a-pfx-certificate-on-a-remote-computer-in-currentuse%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could use a PSSession to step into the remote PC.
Enter-PSSession -ComputerName RemoteSystem
#...Prompt changes and commands are now executing on the remote sysem
#change the store location to the appropriate store you'd like to put the CERT
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
this would be the simplest way to do it, and any other command which must execute on a locate system.
If you need to do this in a script across a large number of systems:
$computers = #get a bunch of computers, either a txt file, csv or whatever
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
#Commands below this point will execute remotely
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
}
Done!
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
add a comment |
You could use a PSSession to step into the remote PC.
Enter-PSSession -ComputerName RemoteSystem
#...Prompt changes and commands are now executing on the remote sysem
#change the store location to the appropriate store you'd like to put the CERT
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
this would be the simplest way to do it, and any other command which must execute on a locate system.
If you need to do this in a script across a large number of systems:
$computers = #get a bunch of computers, either a txt file, csv or whatever
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
#Commands below this point will execute remotely
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
}
Done!
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
add a comment |
You could use a PSSession to step into the remote PC.
Enter-PSSession -ComputerName RemoteSystem
#...Prompt changes and commands are now executing on the remote sysem
#change the store location to the appropriate store you'd like to put the CERT
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
this would be the simplest way to do it, and any other command which must execute on a locate system.
If you need to do this in a script across a large number of systems:
$computers = #get a bunch of computers, either a txt file, csv or whatever
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
#Commands below this point will execute remotely
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
}
Done!
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
You could use a PSSession to step into the remote PC.
Enter-PSSession -ComputerName RemoteSystem
#...Prompt changes and commands are now executing on the remote sysem
#change the store location to the appropriate store you'd like to put the CERT
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
this would be the simplest way to do it, and any other command which must execute on a locate system.
If you need to do this in a script across a large number of systems:
$computers = #get a bunch of computers, either a txt file, csv or whatever
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
#Commands below this point will execute remotely
Import-PFXCertificate -CertStoreLocation Cert:CurrentUserTrustedPublisher -FilePath \serverpathtocert.pfx
Exit-PSSession
}
Done!
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
edited Sep 9 '16 at 0:24
Justin Helgerson
15.9k1270111
15.9k1270111
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
answered Oct 28 '15 at 13:45
FoxDeployFoxDeploy
5,81121430
5,81121430
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
add a comment |
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Thanks for the response but getting this error. "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). This may be the result of user credentials being required on the remote machine. See Enable-WSManCredSSP Cmdlet help on how to enable and use CredSSP for delegation with PowerShell remoting."
– Pravesh Gupta
Oct 29 '15 at 4:17
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Import-PfxCertificate -CertStoreLocation Cert:CurrentUserMy -FilePath \172.xx.xx.xxSharedCertspravesh.com.pfx . Executed this command after Enter-PSSession . .
– Pravesh Gupta
Oct 29 '15 at 4:23
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
Get PowerShell remoting working first. Run Get-help about_remoting for an excellent guide on the topic.
– FoxDeploy
Oct 29 '15 at 7:44
add a comment |
I had a double hop authentication problem with above solution. Below code worked well for me. Hope it helps! :)
[byte]$Pfxinbyts = Get-Content "$FullPathWithFileName.pfx" -Encoding byte
Invoke-Command -Session $session -ScriptBlock {
param(
[byte] $PFXCertInByte,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Pfx.Import([byte]$PFXCertInByte, $PfxPass, $X509Flags)
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[rn]+', ' ')"
}
$Store.Close()
} -ArgumentList $Pfxinbyts, "LocalMachine", "My", "Exportable,PersistKeySet", $PFXPassword
answered Nov 14 '18 at 18:59
FairozFairoz
1
add a comment |
I had a double hop authentication problem with above solution. Below code worked well for me. Hope it helps! :)
[byte]$Pfxinbyts = Get-Content "$FullPathWithFileName.pfx" -Encoding byte
Invoke-Command -Session $session -ScriptBlock {
param(
[byte] $PFXCertInByte,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Pfx.Import([byte]$PFXCertInByte, $PfxPass, $X509Flags)
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[rn]+', ' ')"
}
$Store.Close()
} -ArgumentList $Pfxinbyts, "LocalMachine", "My", "Exportable,PersistKeySet", $PFXPassword
answered Nov 14 '18 at 18:59
FairozFairoz
1
add a comment |
I had a double hop authentication problem with above solution. Below code worked well for me. Hope it helps! :)
[byte]$Pfxinbyts = Get-Content "$FullPathWithFileName.pfx" -Encoding byte
Invoke-Command -Session $session -ScriptBlock {
param(
[byte] $PFXCertInByte,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Pfx.Import([byte]$PFXCertInByte, $PfxPass, $X509Flags)
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[rn]+', ' ')"
}
$Store.Close()
} -ArgumentList $Pfxinbyts, "LocalMachine", "My", "Exportable,PersistKeySet", $PFXPassword
answered Nov 14 '18 at 18:59
FairozFairoz
1
I had a double hop authentication problem with above solution. Below code worked well for me. Hope it helps! :)
[byte]$Pfxinbyts = Get-Content "$FullPathWithFileName.pfx" -Encoding byte
Invoke-Command -Session $session -ScriptBlock {
param(
[byte] $PFXCertInByte,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Pfx.Import([byte]$PFXCertInByte, $PfxPass, $X509Flags)
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[rn]+', ' ')"
}
$Store.Close()
} -ArgumentList $Pfxinbyts, "LocalMachine", "My", "Exportable,PersistKeySet", $PFXPassword
answered Nov 14 '18 at 18:59
FairozFairoz
1
answered Nov 14 '18 at 18:59
FairozFairoz
1
answered Nov 14 '18 at 18:59
FairozFairoz
1
answered Nov 14 '18 at 18:59
FairozFairoz
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33392340%2fpowershell-how-to-install-a-pfx-certificate-on-a-remote-computer-in-currentuse%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
