Search This Blog

Wednesday, July 20, 2011

Installing multiple certificates on multiple remote servers

note: While doing this I had a strange issue where the certutil (running via psexec ) started complaining about arguments “Expected no more than 1 args, received x”). The command was running fine before, it just stopped working and returning this error. In the end I wiped the certutil command file (CertUtilCommands.bat) and built it from scratch, running certutil –f initially which got a dump output, then built up to the full command, doing this got the whole process working again. Its a strange one and I cannot explain it but this got it working again)

Disclaimer: While I believe all will work below, I cannot guarantee it. Please ensure you test before trying anything (which is of course what everyone does).

In my first article about installing certificates to multiple servers I used ps exec to install one certificate in pfx format.

The time arose that I had to renew this certificate, but the supplier had also changed one of their upstream server certificate so I had to install that to. So what I have done is reworked my first article and built a mechanism that allows the certutil commands to be contained in one file.

Now I wanted to attach a file to this blog post with all the necessary files, however that was not possible as blogger will not allow me to attach files… Sad smile

So below I show the folder structure, describe folder purpose and then I give the file contents for all the batch files.

Folders

image

  • pstools is available from Microsoft here
  • CertutilFiles, this folder contains the certuil files needed to be copied to the remote machine. These files should be from a Win2k3 server (see image below).

image

  • CertFiles – This is where to put the certificate files (*.crt, *.pfx) etc that you want to install.
  • reports – this is an empty folder that will contain outputs of stdout for the commands run. May help if issues encountered.

Files

serverlist.txt – a basic list of the servers you want to run the commands on. This will obviously need to be changed to your server list.

server1
server2


cc.bat – this is the primary file (run cc from the command prompt). It will prompt you for information.



ECHO OFF
:InputServerList
SET /p vserverList=Please enter filename of server list (default="serverlist.txt") :-

IF "%vserverList%"=="" (
SET vserverList=serverlist.txt
)

SET voptions=

SET /p vuser=Please enter username (default="<system account - will not have network access on remote machine>") :-

IF NOT "%vuser%" == "" (
SET voptions=-u %vuser%
) ELSE (
GOTO nouser
)

SET /p vpassword=Please enter password :-

SET voptions=%voptions% -p %vpassword%
GOTO userset

:noUser
SET voptions=-s

:userset


MD reports

FOR /F "eol=# tokens=1 delims=," %%A IN (.\%vserverList%) DO START CMD /C "startcerts.bat %%A %voptions% %vuser%>reports\output_command_%%A.txt"



startcerts.bat – This sets up a windows share on the local machine, this will allow the remote server to copy the files. The local computer IP is passed to the remote server, (IP passed only if nslookup works locally resolving the computer name to an IP), if this fails the computer name is passed. (If the computername is passed to the remote server then it will need to be resolvable at the remote server.).


The share will be removed at the end of the process.




note: I have found that psexec has issue with some antivirus software (returning all pipes busy error). If you encounter this then you should stop the antivirus software for the duration of the script. I include a net stop and net start command in the batch file, you will need to add the service name.



note:the script had issue trying to connect back to itself so I have now catered for that scenario by removing the credentials, in the psexec command, if the machine is connecting to itself.




SET Sharename=installcerts2%1
SET localserverip=

FOR /F "skip=4 tokens=2 delims=:" %%A IN ('2^>NUL nslookup %COMPUTERNAME%') DO (
SET localserverip=%%A
)

IF "%localserverip%" == "" (
SET localserverip=%COMPUTERNAME%
)

REM if localmachine name = remote machine reset options to run on local machine
IF /I "%1" == "%COMPUTERNAME%" (
SET voptions=
)

net share %Sharename%=%CD% /GRANT:everyone,READ

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net stop "<antivirus service>"

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteSetup.bat %localserverip% %Sharename%

CALL .\PsTools\psexec \\%1 -s -f -c CertUtilCommands.bat

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteClearUp.bat

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net start "<antivirus service>"

openfiles
/disconnect /A %3

net share %Sharename% \\%COMPUTERNAME% /DELETE


certRemoteSetup.bat – This copies the files in the folders certutilfiles and certfiles to the local windows temp folder (%windir%/temp). Only issue I have found here is that if the computer name of the local machine cannot be resolved from the remote server then the copy will fail as it cannot find the files to run.



xcopy /Y \\%1\%2\CertutilFiles\*.* %windir%\Temp\CertInstall\
xcopy /Y \\%1\%2\CertFiles\*.* %windir%\Temp\CertInstall\


CertUtilCommands.bat – This is the file that will need to be edited for your specific requirements.



C:
CD %windir%\Temp\CertInstall\

Certutil -f -addstore Authroot
.\<certificate1filename>.crt

Certutil -f -addstore CA
.\<certificate2filename>.crt

certutil -f -p
<password> -importpfx .\<certificate3filename>.pfx


certRemoteClearUp.bat – Delete all copied files and remove directory



DEL /Q /S %windir%\Temp\CertInstall\*.*
RD /Q /S %windir%\Temp\CertInstall

Share/Bookmark

No comments:

Post a Comment