Importing a X.509 certificates into a Windows Certificate Store and granting a user access to it can be a real pain. Especially if you have to do it on multiple machines!
Fear not, my friend: it can be automated, for both local and remote machines. I thought I might document how to do it because it took some time to get working.
The below script will:
- Check whether the certificate (.pfx file) is already in the certificate store
- If not already there, import the certificate
- Find the key via its thumbprint, using Microsoft’s FindPrivateKey tool
- Grant a user access to the key
NOTE: the below script is strictly illustrative – error handling and commenting are left as exercises for the reader ;)
@echo off
SETLOCAL ENABLEEXTENSIONS
set user=%1
set thumbprint=%2
set file_name=%3
set password=%4
:findcertificate
for /F "delims=" %%i in ('"FindPrivateKey.exe" My LocalMachine -t %thumbprint% -a') do SET certpath=%%i
if defined %certpath% goto grantaccess
certutil -f -p %password% -importpfx %file_name%
goto findcertificate
:grantaccess
icacls.exe "%certpath%" /grant %user%:R
And that’s it.
If you cut and paste the above into a .bat file and name it something like install.bat, you can invoke it like this:
install.bat user_name footprint certificate_filename certificate_password
For example:
install.bat "IIS App Pool\AppPool1" bc4da1aa2b7116abe33277a44eaab2135210e23b certificate.pfx password
Some pre-requisites/gotchas:
- You will need Microsoft’s FindPrivateKey tool which will locate the certificate in the store. You can obtain FindPrivateKey in the WCF samples: download
- The script will locate the certificate by its footprint, which you will need to determine in advance by importing the certificate manually
- You can also use FindPrivateKey to locate the certificate by subject name, but I found that locating it by footprint was more reliable for multi-line subjects
- To grant access an IIS app pool access to the certificate, you need to specify the app pool name in the format
"IIS App Pool\app_pool_name"
Installing the certificate on a remote machine
I used the SysInternals tool PSExec to run the script on remote machines, using the below parameters:
PSExec.exe /accepteula \\hostname -i -s -w remote_working_folder cmd /c "script_with_parameters"
Where:
- hostname: the hostname on which the script will run
- remote_working_folder: folder on the host which contains the certificate to import and the FindPrivateKey tool exe
- script_with_parameters: the batch file to run with all parameters specified
For example:
PSExec.exe /accepteula \\myhost -i -s -w c:\temp cmd /c install.bat "IIS App Pool\AppPool1" bc4da1aa2b7116abe33277a44eaab2135210e23b certificate.pfx password"