Seite 1 von 1
SSL Cert. via opsi ?
Verfasst: 04 Dez 2020, 16:11
von tiberQ
Hallo,
ich versuche unser ssl zertifiakt via opsi an Windows 10 clients zu verteilen, nach einer kleinen recherche scheint das certutil als passend, mein script kopiert zwar das cert. aber macht scheinbar den import teil nicht, ich verstehs nicht, auch weil der selbe befehl in der cmd per hand ja funktioniert und ich keine opsi fehlermelkdung erhalte, hat hier jemand eine idee ?
Code: Alles auswählen
[Actions]
Files_copy
Winbatch_install
[Files_copy]
copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[Winbatch_install]
certutil –addstore -enterprise –f "Root" "%SYSTEMDRIVE%\cacert.pem"
Re: SSL Cert. via opsi ?
Verfasst: 04 Dez 2020, 17:07
von SisterOfMercy
Does the certutil command work when you do it manually from the command line? Maybe you need a /SysNative after Winbatch_install.
Tiny snippet from one of my own scripts:
Code: Alles auswählen
Winbatch_install_64 /64Bit
[Winbatch_install_64]
"%SystemRoot%\system32\certutil.exe" -f -addstore "Root" "%ScriptPath%\files\globalsign.cer"
I've had it happen that the certificate was imported, but entered up in the wrong container, so it was not useable. Sometimes you need AuthRoot or whatever. With certutil you must be able to list the names of the cert stores, but I forgot the exact command.
Re: SSL Cert. via opsi ?
Verfasst: 04 Dez 2020, 17:28
von tiberQ
Hi,
yes manually the comand works and ok. I will try your suggestion and ahh I can run a command which refs to a file which is located inside the scriptpath so I do not need to copy the cert first ?
I will report if it works > THX!
Re: SSL Cert. via opsi ?
Verfasst: 04 Dez 2020, 20:05
von tiberQ
Doesn't work - Bloody Win ;-(
[Actions]
Files_copy
Winbatch_install_64 /64Bit
[Files_copy]
copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[Winbatch_install_64]
"%SystemRoot%\system32\certutil.exe" –addstore –f "Root" "%SYSTEMDRIVE%\cacert.pem"
Re: SSL Cert. via opsi ?
Verfasst: 04 Dez 2020, 22:10
von SisterOfMercy
tiberQ hat geschrieben:copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
Shouldn't that be copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%" ?
Or does the file exists anyway?
Give us log files? Set the log level to a higher level and paste (or link) the log files here.
Re: SSL Cert. via opsi ?
Verfasst: 05 Dez 2020, 11:10
von tiberQ
Well the file, the cert I would like to import is currently stored under the ScriptPath so I copied it first and then I try to import.
The copy part seems to work but I get a strange error, something seems to not work with the import iteslf, I do not get it because the comand works well manually ?
Code: Alles auswählen
[awg-certificate] Execution of: Files_copy
[8] [2020-12-05 10:54:47.049] [awg-certificate] copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[5] [2020-12-05 10:54:47.049] [awg-certificate]
[8] [2020-12-05 10:54:47.059] [awg-certificate] copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[8] [2020-12-05 10:54:47.059] [awg-certificate] copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[8] [2020-12-05 10:54:47.059] [awg-certificate] copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[8] [2020-12-05 10:54:47.059] [awg-certificate] copy -s "x:\awg-certificate\cacert.pem" "C:\"
[7] [2020-12-05 10:54:47.059] [awg-certificate] copy -s "x:\awg-certificate\cacert.pem" "C:\"
[7] [2020-12-05 10:54:47.059] [awg-certificate] copy
[8] [2020-12-05 10:54:47.059] [awg-certificate] source: x:\awg-certificate\cacert.pem - target:
[8] [2020-12-05 10:54:47.060] [awg-certificate] Search: x:\awg-certificate\cacert.pem
[8] [2020-12-05 10:54:47.167] [awg-certificate] Found: x:\awg-certificate\cacert.pem
[6] [2020-12-05 10:54:47.282] [awg-certificate] Copying x:\awg-certificate\cacert.pem -----> C:\
[6] [2020-12-05 10:54:47.283] [awg-certificate] 1 File(s) found
[8] [2020-12-05 10:54:47.286] [awg-certificate] Search: x:\awg-certificate\cacert.pem
[8] [2020-12-05 10:54:47.286] [awg-certificate] Found: x:\awg-certificate\cacert.pem
[6] [2020-12-05 10:54:47.286] [awg-certificate] Source x:\awg-certificate\cacert.pem
[6] [2020-12-05 10:54:47.286] [awg-certificate] Info: Target C:\cacert.pem exists and shall be overwritten
[8] [2020-12-05 10:54:47.796] [awg-certificate] After copy: x:\awg-certificate\cacert.pem LastError: 0 Success: True
[6] [2020-12-05 10:54:47.849] [awg-certificate] x:\awg-certificate\cacert.pem copied to C:\
[6] [2020-12-05 10:54:47.868] [awg-certificate] 1 File(s) treated
[5] [2020-12-05 10:54:47.874] [awg-certificate] Finished of: Files_copy
[5] [2020-12-05 10:54:47.874] [awg-certificate] Execution of: Winbatch_install_64 /64Bit
[5] [2020-12-05 10:54:47.874] [awg-certificate]
[6] [2020-12-05 10:54:47.875] [awg-certificate] Call ""C:\Windows\system32\certutil.exe" –addstore –f "Root" "C:\cacert.pem""
[6] [2020-12-05 10:54:47.875] [awg-certificate] Waiting until the called process is finished
[6] [2020-12-05 10:54:47.875] [awg-certificate] Start process as invoker: SYSTEM
[6] [2020-12-05 10:54:47.889] [awg-certificate] Started process "C:\Windows\system32\certutil.exe" with Opt: –addstore\r\n–f\r\n"Root"\r\n"C:\cacert.pem"
[6] [2020-12-05 10:54:48.046] [awg-certificate] ExitCode -2147024894 Executed process ""C:\Windows\system32\certutil.exe" –addstore –f "Root" "C:\cacert.pem""
[7] [2020-12-05 10:54:48.046] [awg-certificate] output:
[7] [2020-12-05 10:54:48.046] [awg-certificate] --------------
[7] [2020-12-05 10:54:48.046] [awg-certificate] CertUtil: -dump command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
[7] [2020-12-05 10:54:48.046] [awg-certificate] CertUtil: The system cannot find the file specified.
[7] [2020-12-05 10:54:48.046] [awg-certificate] --------------
Re: SSL Cert. via opsi ?
Verfasst: 05 Dez 2020, 11:45
von tiberQ
I do not really understand why exaclty but now it works the dirty way:
[Actions]
Files_copy
Winbatch_install_64 /64Bit
[Files_copy]
copy -s "%ScriptPath%\cacert.pem" "%SYSTEMDRIVE%\"
[Winbatch_install_64]
certutil.exe -addstore root c:\cacert.pem
Re: SSL Cert. via opsi ?
Verfasst: 06 Dez 2020, 04:03
von SisterOfMercy
I guess the certutil doesn't understand the %systemdrive% parameter.
If it's only the public part of the certificates, why not use a directory in programdata, where you store all certs. I use a different directory, but at least it doesn't end in c:\ where I'd afterwards have to figure out if it was important.
