Batch Script and Web Certificates

StackOverflow https://stackoverflow.com/questions/14566466

I am trying to install a certificate for a website on multiple machines through a login script. Is this possible or what is the best option? I am most familiar with Batch scripts, if someone has one already working that would be the best option for me, otherwise I can call a vbs in a login script.

I have tried to just call the cert, but there are options for it, I need it to go to Truster Publisher so that the activeX controls are loaded w/o prompts for the user.

有帮助吗?

解决方案

I have actually had the same problem in the past... You will want to explore the following command:

certutil.exe

This command allows you to install certificates via command line.

certutil.exe -addstore -f "TrustedPublisher" "<Location_of_Certificate>"

The previous command will get you what you need, just replace the "<Location_of_Certificate>" with the actual location and file name of the certificate.

Using the ' -f ' option is a little bit overkill in some instances, but I did script out a way to check if the certificate is already installed FIRST. If it is then I skip trying to run this portion, because you can actually install multiple certificate stores, which is messy.

To achieve this, first you will need to know the publisher's name. The way I did this was I installed the Cert on a computer manually, then I ran the following command:

certutil.exe -store trustedpublisher

This should get you the list of ALL your trusted publishers. Now find the one you need in the list... you will see something like the following (I'm using Microsoft Root Authority as an example):

Serial Number: xxxx11dxxxx8ffexxxx Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp. NotBefore: 10/1/1997 2:00 AM NotAfter: 12/31/2002 2:00 AM Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation, OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19 97 Microsoft Corp. Non-root Certificate Template: Cert Hash(sha1): xx xx 1c xx xx 45 xx xx b3 xx xx 94 xx xx 7c 74 07 33 03 1c No key provider information Cannot find the certificate and private key for decryption.

Now that you have the Issuer of the Cert exactly like it will be listed you can perform the check:

certutil.exe -store trustedpublisher | findstr "Microsoft Root Authority"

Now that should give you back some of the same info you saw in the original listing. This is what I do to handle the process from start to finish (NOTE I add the cert to both trusted publisher and CA):

:importCertRoot
verify >nul
certutil.exe -store trustedpublisher | findstr "Microsoft Root Authority"  
IF '%ERRORLEVEL%'=='0' goto importCertLocal
verify >nul
certutil.exe -addstore -f "TrustedPublisher" "<Location_of_Certificate>\<CertName.cer>"
goto importCertLocal

:importCertLocal
verify >nul
certutil.exe -store CA | findstr "Microsoft Root Authority"  
IF '%ERRORLEVEL%'=='0' goto exit
verify >nul
certutil.exe -addstore -f "CA" "<Location_of_Certificate>\<CertName.cer>"
goto next

I hope this helps you out

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top