Search This Blog

Wednesday, July 20, 2011

Installing multiple certificates on multiple remote servers

note: While doing this I had a strange issue where the certutil (running via psexec ) started complaining about arguments “Expected no more than 1 args, received x”). The command was running fine before, it just stopped working and returning this error. In the end I wiped the certutil command file (CertUtilCommands.bat) and built it from scratch, running certutil –f initially which got a dump output, then built up to the full command, doing this got the whole process working again. Its a strange one and I cannot explain it but this got it working again)

Disclaimer: While I believe all will work below, I cannot guarantee it. Please ensure you test before trying anything (which is of course what everyone does).

In my first article about installing certificates to multiple servers I used ps exec to install one certificate in pfx format.

The time arose that I had to renew this certificate, but the supplier had also changed one of their upstream server certificate so I had to install that to. So what I have done is reworked my first article and built a mechanism that allows the certutil commands to be contained in one file.

Now I wanted to attach a file to this blog post with all the necessary files, however that was not possible as blogger will not allow me to attach files… Sad smile

So below I show the folder structure, describe folder purpose and then I give the file contents for all the batch files.



  • pstools is available from Microsoft here
  • CertutilFiles, this folder contains the certuil files needed to be copied to the remote machine. These files should be from a Win2k3 server (see image below).


  • CertFiles – This is where to put the certificate files (*.crt, *.pfx) etc that you want to install.
  • reports – this is an empty folder that will contain outputs of stdout for the commands run. May help if issues encountered.


serverlist.txt – a basic list of the servers you want to run the commands on. This will obviously need to be changed to your server list.


cc.bat – this is the primary file (run cc from the command prompt). It will prompt you for information.

SET /p vserverList=Please enter filename of server list (default="serverlist.txt") :-

IF "%vserverList%"=="" (
SET vserverList=serverlist.txt

SET voptions=

SET /p vuser=Please enter username (default="<system account - will not have network access on remote machine>") :-

IF NOT "%vuser%" == "" (
SET voptions=-u %vuser%
) ELSE (
GOTO nouser

SET /p vpassword=Please enter password :-

SET voptions=%voptions% -p %vpassword%
GOTO userset

SET voptions=-s


MD reports

FOR /F "eol=# tokens=1 delims=," %%A IN (.\%vserverList%) DO START CMD /C "startcerts.bat %%A %voptions% %vuser%>reports\output_command_%%A.txt"

startcerts.bat – This sets up a windows share on the local machine, this will allow the remote server to copy the files. The local computer IP is passed to the remote server, (IP passed only if nslookup works locally resolving the computer name to an IP), if this fails the computer name is passed. (If the computername is passed to the remote server then it will need to be resolvable at the remote server.).

The share will be removed at the end of the process.

note: I have found that psexec has issue with some antivirus software (returning all pipes busy error). If you encounter this then you should stop the antivirus software for the duration of the script. I include a net stop and net start command in the batch file, you will need to add the service name.

note:the script had issue trying to connect back to itself so I have now catered for that scenario by removing the credentials, in the psexec command, if the machine is connecting to itself.

SET Sharename=installcerts2%1
SET localserverip=

FOR /F "skip=4 tokens=2 delims=:" %%A IN ('2^>NUL nslookup %COMPUTERNAME%') DO (
SET localserverip=%%A

IF "%localserverip%" == "" (
SET localserverip=%COMPUTERNAME%

REM if localmachine name = remote machine reset options to run on local machine
IF /I "%1" == "%COMPUTERNAME%" (
SET voptions=

net share %Sharename%=%CD% /GRANT:everyone,READ

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net stop "<antivirus service>"

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteSetup.bat %localserverip% %Sharename%

CALL .\PsTools\psexec \\%1 -s -f -c CertUtilCommands.bat

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteClearUp.bat

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net start "<antivirus service>"

/disconnect /A %3

net share %Sharename% \\%COMPUTERNAME% /DELETE

certRemoteSetup.bat – This copies the files in the folders certutilfiles and certfiles to the local windows temp folder (%windir%/temp). Only issue I have found here is that if the computer name of the local machine cannot be resolved from the remote server then the copy will fail as it cannot find the files to run.

xcopy /Y \\%1\%2\CertutilFiles\*.* %windir%\Temp\CertInstall\
xcopy /Y \\%1\%2\CertFiles\*.* %windir%\Temp\CertInstall\

CertUtilCommands.bat – This is the file that will need to be edited for your specific requirements.

CD %windir%\Temp\CertInstall\

Certutil -f -addstore Authroot

Certutil -f -addstore CA

certutil -f -p
<password> -importpfx .\<certificate3filename>.pfx

certRemoteClearUp.bat – Delete all copied files and remove directory

DEL /Q /S %windir%\Temp\CertInstall\*.*
RD /Q /S %windir%\Temp\CertInstall


No comments:

Post a Comment