Search This Blog

Wednesday, June 30, 2010

Automating Installing/Importing pfx (certificate) from command line (certutil) on remote servers.

note: Please also this article

A few days ago I had to sit and install a new certificate to a number of servers. These servers did not exist in an AD environment so using group policy was not an option.

However I thought I could some how script this. I have written a few batch files in the past to execute on a remote server and to do this I used the sysinternals tool psexec. So all I needed was how to import from the command line.

I found that certutil.exe ( a free ms tool) which appears to come with windows 2003 server+ could probably some how do what I wanted. However just using the help I could not see a command to import a pfx, however after trawling Google for a while I found that there is a command but it just does not appear to be list in the certutil help (certutil /?).

So I used the following command

certutil –f –p <passwordOfPfxFile> –importpfx <filelocation>

-f : force overwrite of certificate

-p: Password of the pfx file

This command will install the certificate into the personal store of the computer account. There are additional commands to install to other stores and locations, such as “–user My” which put it into the personal store if the user, and –addstore ca. Please look up these as I only include here as a quick reference.

This command worked a treat on the local machine, so now it was just a matter of getting it to run remotely.

psexec –u <username> –p <password> \\<servername> certutil -f –p <pfxpassword> –importpfx <pfx File Location>

-u: remote server username.

-p: remote server user password.

I used the psexec command and stored the pfx file in location accessible to all servers (a unc path).

Now all I needed to was to loop through all the servers, I did this by setting up a file with all the servers listed in it. Then created two batch files one to loop through the server list and pass each server to the second batch file which contained the psexec statement above.


FOR /F "tokens=1 delims= " %%G IN (.\serverlist.txt) DO batchFile2.bat %%G

This command loops through the serverlist.txt file, %%G will be the servername retrieved from the serverlist.txt file and then passed to the batchfile2.bat


psexec –u <username> –p <password> \\%1 certutil -f –p <pfxpassword> –importpfx <pfx File Location>

This command takes the first parameter passed to the file (%1, the servername) and runs it via psexec on the server.


Windows2000, I found that the certutil for windows2000 moaned about the –p parameter. I got round that by copying the following files from a windows 2003 server to a temporary location on the windows 2000 servers. the call to the certutil then had to be the full path (it couldnot rely on the system path).

certreq.exe, certutil.exe, certcli.dll, certadm.dll

psexec –u <username> –p <password> \\%1 c:\templocation\certutil -f –p <pfxpassword> –importpfx <pfx File Location>


Sunday, June 27, 2010

ShrewSoft / Cisco VPN Client– periodic disconnection

I recently had to setup the shrewsoft vpn connection for work, this was maninly due to the fact they were rolling out Windows X64 and the cisco vpn client did not support the x64 environment.

Now the shrewsoft vpn client is great, and all I did was import the cisco *.pcf files from the 32bit vpn client. And connectivity was established.

However of the two connections I setup I found that while they initially connected, after a set amount of time one the connections would disconnect with the error

“Connection terminated by gateway”

This was a tad annoying, and I could see no cause. However I eventually managed to establish that the timeout matched exactly to the setting on the firewall.

After trawling the internet, not really understanding what was going on, although pretty sure this setting was the culprit as the times matched (1000 seconds, 16 min 40 seconds), I stumbled across this.

What it eventually came down to was a mismatch in values between the firewall and the client. Now as far as I am aware this disconnection will only occur if the lifetime value on the client is greater than the firewall. (I don’t really understand why it connects once and then craps out).

Now the solution is to set the lifetime value in the client to the same value or less than on the firewall. This then means when the period is reached the client and the firewall can negotiate a new key.

Here is where the setting is in the Shrewsoft vpn client.


here is the setting in the cisco firewall

isakmp policy 1 lifetime 1000


Thursday, June 24, 2010

Identify Internet Explorer x86/x64 on Windows 7 taskbar

I had Internet Explorer pinned to my task bar, however I found that sometimes when I clicked on some links IE would open as a separate icon on my task bar instead of grouping with the IE that was pinned. (the image below shows this –please note it shows my new icon identifying the 64 bit version (right), the left IE icon is the pinned 32bit version)


What I discovered is that these links were opening with IE x64. I wanted to be able to distinguish between the two. So I have created an icon for IE64 saved this .ico file to my windows folder, then in my “all programs” menu I have gone to the properties of  IE 64bit and selected change icon, now browse for the icon and click ok.


Now in your start menu right click on the IE64 and select “pin to taskbar”. And that's it, now when you fire up IE32 bit they will be grouped with 32bit version and IE64 will be grouped with the 64 bit version, and you can easily identify which version you are running.


If you want the icon file its here


Monday, June 07, 2010

Samsung i8910 (HD, icon) – Totally refresh music library

I had an issue with this phone and the music library, it kept adding duplicate entries of random music. Even when I removed the music from the phone the other entries where still there! To me it looked as if music player was not working correctly.

In the end I traced the problem down to Windows Media Player (WMP) on my desktop machine, and the setting that copies music you play in WMP to a portable device you have connected. So whenever I had my phone connected while I was using WMP, it was merrily copying the music to my phone!

However back to the article topic, while trying to figure out what was going on I was trying to find a way to clear out the music player on the phone, and I did.

The music library for the music player is held in a file called mpxv2_2.db. So just search your phone for this file, I just connect the phone to the pc in mass storage mode and use windows search. However you should find the file in the following folder


Also of note is the file may be a derivative of mpxv2_2.db, my file was actually [101ffc31]mpxv2_2.db. Just delete this file and fire up the music player, it will trawl your phone again and create this library file.