6

I use powershell app deployment tool kit and I have a script to install a few MSI's. For one of the MSI's, I have a certificate (cert.cer) that I need to install on each machine's trusted publisher.

After doing some digging, I came up with this:

certutil.exe -addstore TrustedPublisher cert.cer certutil.exe -addstore root cert.cer

This does not work, no errors, I am just still being prompted to have to accept an install from a non trusted publisher.

Erik Kaplun
  • 37,128
  • 15
  • 99
  • 111
mpeytonfan18
  • 109
  • 1
  • 5
  • 14

3 Answers3

8

Open PowerShell as administrator and run:

Import-Certificate -FilePath cert.cer -CertStoreLocation Cert:\LocalMachine\TrustedPublisher
Booga Roo
  • 1,665
  • 1
  • 21
  • 30
  • This also adds all certificates in the chain to TrustedPublishers, that is bad. Therefore all certificates from the same root ca are considered to be TrustedPublisher. – K. Frank Apr 03 '20 at 02:21
  • @K.Frank Interesting. I had not considered a scenario that included multiple certificates in the `.cer` file. I know that is possible with some certificate formats. Is that what you're referring to? – Booga Roo Apr 03 '20 at 02:33
  • No, I just have a publicly trusted .cer file that I tried to import. And Import-Certificate than also adds the CAs that signed the certificate as Trusted Publishers – K. Frank Apr 03 '20 at 02:36
  • ... was a cat file not a cer file. When first extracting the cer file it works as it should. So the error is in special handling of cat files. Therefore attention when using this command for installing drivers, as there you have cat files – K. Frank Apr 03 '20 at 02:41
  • @K.Frank That is doubly interesting. What kind of certificate was it that got added? A root certificate, intermediate/chain, or driver signing certificate? – Booga Roo Apr 03 '20 at 02:44
  • This is the iso image that contains the driver, if you'd like to take a look: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.173-9/virtio-win.iso The file I used is: `amd64/2k19/viostor.cat` In oder to install the msi in the root silently right afterwards – K. Frank Apr 03 '20 at 02:47
  • Thanks, I'll take a look later tonight or tomorrow and update if I find anything interesting. – Booga Roo Apr 03 '20 at 02:50
1

Because of the above problem that import-certificate imports all the certificates in the chain I prefer Get-AuthenticodeSignature which should read .cer files, too. Then you can access the signer certificate and add it to the store.

# https://stackoverflow.com/a/61533687/1133043
$CertFile = get-item <path to .cer file>

$CertStore = Get-Item "cert:\LocalMachine\TrustedPublisher"
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

$Cert = (Get-AuthenticodeSignature $CertFile.FullName).SignerCertificate

Write-Host ( "Added {0}, {1} from {2}" -f $Cert.Thumbprint, $Cert.Subject, $CertFile.FullName )

$CertStore.Add($Cert)
$CertStore.Close()
ggz
  • 131
  • 1
  • 3
-1

This worked for me,

$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 
$certPath = read-host "Certificate Path"
$pfxPass = read-host "Password" -assecurestring
$pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet") 
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(
    [System.Security.Cryptography.X509Certificates.StoreName]::TrustedPublisher,
    "localmachine"
)
$store.open("MaxAllowed") 
$store.add($pfx) 
$store.close()
pasha
  • 2,035
  • 20
  • 34
  • This question is for a non-PFX certificate. Though, there is a similar `Import-PfxCertificate` cmdlet that would allow you to make a less complicated import script. – Booga Roo Aug 10 '19 at 23:52