/build/static/layout/Breadcrumb_cap_w.png

CA Certificate Issue

Hi All,

Issue: In user mode the application is thorwing a pop-up regarding "CA certificate". I tried importing the certificate using following cmds:
certmgr.exe -add -c "<cert-file>" -s -r localMachine root
Certmgr.exe -c YourCertificate -s TrustedPublishers -add

It is showing "success", but the pop-up is coming again in user mode, and prompting to import the certificate again.

Anyone has any idea how to resolve this?

Thanks,
DN

0 Comments   [ + ] Show comments

Answers (10)

Posted by: anonymous_9363 12 years ago
Red Belt
0
Two clues:user mode and localMachine root and a hint, viz. your users are unlikely to have local administrator rights.
Posted by: dnmech 12 years ago
Senior Purple Belt
0
You mean to say that, i should install the certificate in "CurrentUser" mode. In that case i need to make sure that the cmd is executed for everyuser.

Did i understand your point or i missed any point?

Thnx
DN
Posted by: anonymous_9363 12 years ago
Red Belt
0
If you do that, you need to use a different "root". MSDN will have the details. Search there for 'certmgr'. Alternatively - and better - install it in System context using the command line you have and it'll be installed for the machine, in other words, all users.
Posted by: tron2ole 12 years ago
Third Degree Blue Belt
0
I am dealing with a simular issue where I have created my 2 certificates and need to add them as CAs into my MSI.
I had the certmgr.exe in the binary so my CA source linked to the certmgr in the bonary table and the Type is 3074.
Target was -add c:\temp\abc.cer -c -s -r LocalMachine TrustedPublisher

Works fine using the /qn switch "although" I see a couple of cmd windows popup and exit very quickly.
Therefore, via SCCM deployment testing....the package did not work....and I suspected it would not work too.
Testing via psexec -i -s cmd to execute cmd as system context.

I am trying another method....but I am suspicious.
Add the certmgr in the c:\windows dir.
The CA will use the SystemFolder in the Source - call cmd.exe /c c:\windows\certmgr.exe -add c:\temp\abc.cer -c -s -r LocalMachine TrustedPublisher
Type 3106

Am I going about it in the right way....not sure?
Posted by: dannyarya 12 years ago
Senior Purple Belt
0
@ tron2ole - If you are doing installation of machine based Certificate then it'll work fine.

you can also use type : 1106 CA

For Example:

CustomAction Table-

PublicPrimaryCertificate | 1106 | certmgr.exe | -add -c "[INSTALLDIR]Verisign Class 1 Public Primary CA - G3.cer" -s -r LocalMachine ROOT
IndividualSubscriberCertificate | 1106 | certmgr.exe | -add -c "[INSTALLDIR]Verisign Class 1 Individual Subscriber CA - G3.cer" -s -r LocalMachine CA
Posted by: tron2ole 12 years ago
Third Degree Blue Belt
0
Cheers I will give it a shot.....[;)]
Posted by: rich0864 12 years ago
Orange Belt
0
If it helps,
I used: 'certutil -dspublish -f "SomeCertificateCA.cer" NTAuthCA'. To achieve the same thing.

Worked without issue running both from psexec cmd as system and from SCCM.

Cheers
Rich
Posted by: tron2ole 12 years ago
Third Degree Blue Belt
0
[8|]
WOW - I thought that I would just add the two blob registry keys: HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\
So the MSI only contains those two reg keys....installs fine and tested in system context....
In SCCM....does not deploy the reg keys....weird.....
I am now added the keys in a script and added as a CA in the MSI to test....strange though....
Could be one to be thrown to the SCCM forum....

Comments:
  • Make sure the "WriteRegistryValues" (containing this BLOB) will be executed earlier in the "InstallExecuteSequence" table than the "MsiInstallDrivers" or CA where drivers are being installed. - mduiker 8 years ago
Posted by: anonymous_9363 12 years ago
Red Belt
0
And the verbose log - which of course you specified in your command line - tells you......what?
Posted by: tron2ole 12 years ago
Third Degree Blue Belt
0
The MSI verbose log was fine - no errors as the package actually installs - just no reg keys via SCCM but SCCM deployment.
The SCCM log showed an entry:The code is inconsistent with the package cache....
Anyway....the CA with the registry keys worked fine....
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ