Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, April 26, 2014 8:10 PM
I have an application that I need to install during OSD. As part of this application installation, it needs to make some web service calls to a 3rd party service via https. Since at the point of OS deployment group policy has not pushed down the certs needed by our bluecoat server, the request is blocked and the application install fails.
I am using certutil to install the cert and the script I am using validates that the cert is installed but when that step completes and it moves on to the next step of installing the application if fails and when I look in the certificates snap-in the certificate is not there.
Is there any special trick to get the certificate to install during OSD?
All replies (8)
Monday, April 28, 2014 10:21 AM âś…Answered
UPDATE:
I got this to work by executing the command and then sleeping for 5 seconds and rerunning it. I loop and do this 3 times. Now it works. Not sure what was going on before...maybe just too quick??? I was seeing positive results in my VMs but not on my physical device.
Saturday, April 26, 2014 9:08 PM
Can you please post your certutil command line and also confirm that you have the certadmin.dll in the folder to install it?
I have some free manuals http://1drv.ms/1kk6u6j
Saturday, April 26, 2014 9:20 PM
Command line: certutil -addstore -enterprise root <path to cert>
This is a Windows 8.1 system and it is a basic WIM without any customizations. I would assume that whatever dlls are needed by certutil are where they need to be. If I hit F8 before this step and then wait for the task to complete and wait for the application to fail and verify that cert is there...it is not there although the log from my script says it was successful in importing the cert. If I then rerun the same script I see that the cert is in fact imported.
Wondering what the different is of that command running as a task vs me executing it.
Saturday, April 26, 2014 9:56 PM | 1 vote
Why are you trying to add it to the enterprise store? The enterprise store is typically used for AD integrated (aka enterprise) certificate authorities. You should only be adding it to the trusted root store.
Jason | http://blog.configmgrftw.com
Sunday, April 27, 2014 2:55 AM
In addition to what Jason said, and for the long run if needed, I would create a package with the necessary files including the certificates and run it as a program in the task sequence. Such package can also be useful for future deployments as need.
I have some free manuals http://1drv.ms/1kk6u6j
Monday, April 28, 2014 10:11 AM
Thanks all for your replies. This certificate gets put in the trusted root certification authorities store. The physical store for trusted root certification authorities is the Enterprise store. This cert is published in a GPO. During the build, however, group policy is processed and in addition the computer object is not in its final OU at this point in the build and the GPO is not linked to the OU the computer object resides in during this phase.
Where the certificate is being imported to is really of no significance though to the question I am asking.
What I am seeing is that the certificate is not present after successfully executing the command. So my question is really regarding the limitations of certificates during OSD and if there are any.
Monday, April 28, 2014 10:19 AM
There are no limitations as far as I know. I've use certutil successfully in the past during OSD.
Torsten Meringer | http://www.mssccmfaq.de
Monday, April 28, 2014 11:56 AM
Just glancing online it looks like this may be a bit common.
http://www.itninja.com/question/running-certutil-in-remediation-run-a-batch-file
I would try out the start /wait and see if it eliminates the need to call it multiple times or sleep.
Daniel Ratliff | http://www.PotentEngineer.com