SSL Cert. via opsi ?

[tiberQ]

Hallo,

ich versuche unser ssl zertifiakt via opsi an Windows 10 clients zu verteilen, nach einer kleinen recherche scheint das certutil als passend, mein script kopiert zwar das cert. aber macht scheinbar den import teil nicht, ich verstehs nicht, auch weil der selbe befehl in der cmd per hand ja funktioniert und ich keine opsi fehlermelkdung erhalte, hat hier jemand eine idee ?

Code: Alles auswählen

[Actions]
Files_copy
Winbatch_install

[Files_copy]
copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"

[Winbatch_install]
certutil –addstore -enterprise –f "Root" "%SYSTEMDRIVE%\cacert.pem"

[SisterOfMercy]

Does the certutil command work when you do it manually from the command line? Maybe you need a /SysNative after Winbatch_install.

Tiny snippet from one of my own scripts:

Code: Alles auswählen

Winbatch_install_64 /64Bit

[Winbatch_install_64]
"%SystemRoot%\system32\certutil.exe" -f -addstore "Root" "%ScriptPath%\files\globalsign.cer"

I've had it happen that the certificate was imported, but entered up in the wrong container, so it was not useable. Sometimes you need AuthRoot or whatever. With certutil you must be able to list the names of the cert stores, but I forgot the exact command.

[tiberQ]

Hi,

yes manually the comand works and ok. I will try your suggestion and ahh I can run a command which refs to a file which is located inside the scriptpath so I do not need to copy the cert first ?

I will report if it works > THX!

[tiberQ]

Doesn't work - Bloody Win ;-(

[Actions]
Files_copy
Winbatch_install_64 /64Bit

[Files_copy]
copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"

[Winbatch_install_64]
"%SystemRoot%\system32\certutil.exe" –addstore –f "Root" "%SYSTEMDRIVE%\cacert.pem"

[SisterOfMercy]

copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"

Shouldn't that be copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%" ?

Or does the file exists anyway?
Give us log files? Set the log level to a higher level and paste (or link) the log files here.

[tiberQ]

Well the file, the cert I would like to import is currently stored under the ScriptPath so I copied it first and then I try to import.
The copy part seems to work but I get a strange error, something seems to not work with the import iteslf, I do not get it because the comand works well manually ?

Code: Alles auswählen

 [awg-certificate] Execution of: Files_copy
[8] [2020-12-05 10:54:47.049] [awg-certificate] copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[5] [2020-12-05 10:54:47.049] [awg-certificate] 
[8] [2020-12-05 10:54:47.059] [awg-certificate]   copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[8] [2020-12-05 10:54:47.059] [awg-certificate]   copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[8] [2020-12-05 10:54:47.059] [awg-certificate]   copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[8] [2020-12-05 10:54:47.059] [awg-certificate]   copy -s "x:\awg-certificate\cacert.pem" "C:\"
[7] [2020-12-05 10:54:47.059] [awg-certificate]   copy -s "x:\awg-certificate\cacert.pem" "C:\"
[7] [2020-12-05 10:54:47.059] [awg-certificate]   copy
[8] [2020-12-05 10:54:47.059] [awg-certificate]   source: x:\awg-certificate\cacert.pem - target:
[8] [2020-12-05 10:54:47.060] [awg-certificate]     Search: x:\awg-certificate\cacert.pem
[8] [2020-12-05 10:54:47.167] [awg-certificate]     Found: x:\awg-certificate\cacert.pem
[6] [2020-12-05 10:54:47.282] [awg-certificate]   Copying  x:\awg-certificate\cacert.pem -----> C:\
[6] [2020-12-05 10:54:47.283] [awg-certificate]     1 File(s) found
[8] [2020-12-05 10:54:47.286] [awg-certificate]     Search: x:\awg-certificate\cacert.pem
[8] [2020-12-05 10:54:47.286] [awg-certificate]     Found: x:\awg-certificate\cacert.pem
[6] [2020-12-05 10:54:47.286] [awg-certificate]     Source x:\awg-certificate\cacert.pem
[6] [2020-12-05 10:54:47.286] [awg-certificate]       Info: Target C:\cacert.pem exists and shall be overwritten
[8] [2020-12-05 10:54:47.796] [awg-certificate]       After copy: x:\awg-certificate\cacert.pem LastError: 0 Success: True
[6] [2020-12-05 10:54:47.849] [awg-certificate]       x:\awg-certificate\cacert.pem copied to C:\
[6] [2020-12-05 10:54:47.868] [awg-certificate]     1 File(s) treated
[5] [2020-12-05 10:54:47.874] [awg-certificate] Finished of: Files_copy
[5] [2020-12-05 10:54:47.874] [awg-certificate] Execution of: Winbatch_install_64 /64Bit
[5] [2020-12-05 10:54:47.874] [awg-certificate] 
[6] [2020-12-05 10:54:47.875] [awg-certificate]   Call ""C:\Windows\system32\certutil.exe" –addstore –f "Root" "C:\cacert.pem""
[6] [2020-12-05 10:54:47.875] [awg-certificate]      Waiting until the called process is finished
[6] [2020-12-05 10:54:47.875] [awg-certificate]   Start process as invoker: SYSTEM
[6] [2020-12-05 10:54:47.889] [awg-certificate]   Started process "C:\Windows\system32\certutil.exe" with Opt: –addstore\r\n–f\r\n"Root"\r\n"C:\cacert.pem"
[6] [2020-12-05 10:54:48.046] [awg-certificate]   ExitCode -2147024894    Executed process ""C:\Windows\system32\certutil.exe" –addstore –f "Root" "C:\cacert.pem""
[7] [2020-12-05 10:54:48.046] [awg-certificate]     output:
[7] [2020-12-05 10:54:48.046] [awg-certificate]     --------------
[7] [2020-12-05 10:54:48.046] [awg-certificate]     CertUtil: -dump command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
[7] [2020-12-05 10:54:48.046] [awg-certificate]     CertUtil: The system cannot find the file specified.
[7] [2020-12-05 10:54:48.046] [awg-certificate]     --------------

[tiberQ]

I do not really understand why exaclty but now it works the dirty way:

[Actions]
Files_copy
Winbatch_install_64 /64Bit

[Files_copy]
copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"

[Winbatch_install_64]
certutil.exe -addstore root c:\cacert.pem

[SisterOfMercy]

I guess the certutil doesn't understand the %systemdrive% parameter.

If it's only the public part of the certificates, why not use a directory in programdata, where you store all certs. I use a different directory, but at least it doesn't end in c:\ where I'd afterwards have to figure out if it was important.