Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

certutil help

495 views
Skip to first unread message

Gunna

unread,
Jul 30, 2010, 1:50:03 AM7/30/10
to
Im trying to automate a cert improt and was tryig out certutil to do it but
got some odd results. I used this command:

certutil -addstore -f -user -v Personal c:\%username%.cer

and it imported the cert but instead of miporting it into the existing
default Personal store is created a new one and put the cert in the new one.
Anyone help on that?

Stroud

unread,
Jul 30, 2010, 6:16:13 AM7/30/10
to

If you wanted to import certificates into an existing store then you
should have use "repairstore" instead of "addstore". "repairstore" will
let you update it in your existing store.


--
Stroud
------------------------------------------------------------------------
Stroud's Profile: http://forums.techarena.in/members/76819.htm
View this thread: http://forums.techarena.in/microsoft-security/1355247.htm

http://forums.techarena.in

Gunna

unread,
Aug 2, 2010, 9:03:03 PM8/2/10
to
ok, i tried repairstore but no joy. This is what i get.

C:\>certutil -repairstore -user Personal c:\%username%.cer
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
313.1460.0: 0x80090011 (-2146893807)
313.1765.0: 0x80090011 (-2146893807)
313.3158.0: 0x80090011 (-2146893807)
CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807)
CertUtil: Object was not found.
301.3128.0: 0x80090011 (-2146893807)

Paul Adare

unread,
Aug 3, 2010, 2:19:27 AM8/3/10
to
On Fri, 30 Jul 2010 05:16:13 -0500, Stroud wrote:

> If you wanted to import certificates into an existing store then you
> should have use "repairstore" instead of "addstore". "repairstore" will
> let you update it in your existing store.

Sorry but this is simply wrong. The repairstore option allows you to
reassociate a private key with a certificate but the certificate in
question has to already exist in the store in question. It is not the
correct option for importing a certificate into a store.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

Paul Adare

unread,
Aug 3, 2010, 2:20:47 AM8/3/10
to

You're using the wrong store name. While the UI presents as Personal, the
actual store name is My.

Gunna

unread,
Aug 11, 2010, 8:39:03 PM8/11/10
to
Ah got it Paul, many thanks. You truely are a guru :)

"Paul Adare" wrote:

> .
>

Gunna

unread,
Aug 11, 2010, 9:02:03 PM8/11/10
to
Paul,

Before I spend time mucking around I figured you might knwo the answer to
this related question. SO far i've been using the certutil -addsotre command
to bring in a cert that exists already on the machiens local C drive.

I wanted to maybe do it in 2 steps and the first step is my new problem. I
want to, if possible, export a cert called %username%.cer from the Active
Directory User Object Store to the local disk c:\

Then I will be using the addstore command to bring it into the Peronal Site
which you have helped me with. Do you know a quick command to export the
cert from the Active Directory User Object Store?

Thanks

"Paul Adare" wrote:

> .
>

Paul Adare

unread,
Aug 12, 2010, 1:35:07 AM8/12/10
to
On Wed, 11 Aug 2010 18:02:03 -0700, Gunna wrote:

> Before I spend time mucking around I figured you might knwo the answer to
> this related question. SO far i've been using the certutil -addsotre command
> to bring in a cert that exists already on the machiens local C drive.
>
> I wanted to maybe do it in 2 steps and the first step is my new problem. I
> want to, if possible, export a cert called %username%.cer from the Active
> Directory User Object Store to the local disk c:\
>
> Then I will be using the addstore command to bring it into the Peronal Site
> which you have helped me with. Do you know a quick command to export the
> cert from the Active Directory User Object Store?

I think we should probably back up a step first. Why are you trying to do
this in the first place? Can you describe the business/technology need that
requires you to export a cert from AD and import it into the local store?
The reason I ask is that if I understand the environment/situation a little
better, there may well be a better solution to the problem you're trying to
solve.

Gunna

unread,
Aug 12, 2010, 7:23:03 AM8/12/10
to
Sure i'll try to summarise. We are issuing Client Auth certs from 2008 PKI.
The cert is to be used for Cert auth when logging onto VPN. The issue is
when a user is issed a certificate via autoenrollment the cert only appears
in the "Active Directory USer Object" store. Because its not in the Personal
store when the user is ofline the VPN client does not have access to the
cert. This is why I want to automatically export the cert and reimport it
into the Personal store. Im dealing with 20000+ users so it needs to be
automatic.

THe cert template has the publish to AD option ticked, is this setting
stopping it from being installed to the local Personal Store or is there
somethign else?

"Paul Adare" wrote:

> .
>

~BD~

unread,
Aug 12, 2010, 3:37:52 PM8/12/10
to
Paul Adare wrote:

> The reason I ask is that if I understand the environment/situation a little
> better, there may well be a better solution to the problem you're trying to
> solve.
>

I note that there are *still* no clients listed here!

http://www.identit.ca/clients.html

Why *is* that?

Gunna

unread,
Aug 22, 2010, 10:06:03 PM8/22/10
to
BUMP?

"Paul Adare" wrote:

> .
>

0 new messages