Here is how to import certificates using the Application model in SCCM. This also includes some basic errorlevel handling.
First, create an Application as a Script Installer, then use the following batch script as the installation command (e.g. save as InstallCertificate.cmd).
@echo off
setlocal
if exist "\\server\share\%COMPUTERNAME%.pfx" (
echo Cert exists for this endpoint. >> C:\logs\cert_install.log
certutil.exe -f –p CertPassword1 –importpfx "%~dp0\%COMPUTERNAME%.pfx" NoExport >> C:\logs\cert_install.log | findstr "ERROR_INVALID_PASSWORD"
if '%ERRORLEVEL%'=='0' goto password2
exit /b
:password2
echo First password invalid - trying second password. >> C:\logs\cert_install.log
certutil -f –p CertPassword2 –importpfx "%~dp0\%COMPUTERNAME%.pfx" NoExport >> C:\logs\cert_install.log
)
(In this example, there were two passwords defined depending on who made the certificate in our environment, hence the errorlevel checking to verify passwords)
The detection method of the Application is then defined as a Powershell script:
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$env:computername*"}
This will check to ensure the hostname of the computer exists in the Cert store (which is how this particular certificate is installed). Another variant would be this install script (InstallCertificate.cmd example):
@echo off
if exist "\\server\share\CertName.cer" (
echo Certificate found >> C:\logs\cert_install.log
certutil -addstore root "%~dp0\CertName.cer" >> C:\logs\cert_install.log
)
The detection method for this example would be this Powershell script:
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*CertName*"}
The "CertName" in this example would be the exact name of the certificate listed in the store.
I have yet to make an uninstall script for this Application since in our environment it wasn't necessarily needed (and I didn't want users to have the power to remove the cert in the first place). However, the script would most likely need a minor change in InstallCertificate.cmd from "-addstore" to "-delstore" in the second example.
No comments:
Post a Comment