Hi All,
We wanted to install certificate into trusted device of the browser. We do have certificate in .cer format.
Is there any way to import/remove the certificate into/from Trusted Root Certification Authorities using BigFix?
Any help on this would be highly appreciated.
There are multiple ways to accomplish this. You can either: 1) Attach the cert as a download and use ‘certutil’ commands to import. 2) Use powershell commands to import. 3) Create a GPO that applies to this machine and add Trusted roots in a PKI policy.
The GPO approach is the most efficient if you need to apply the same trusted root to a large number of machines that are domain joined.
Yes @JonL, We can do it using Powershell (ByPass Policy) or GRP Push as well.
I’ve done it using batch file scripting and implemented into BigFix Action Script.
Action works well for Import/Revoke certificate into MMC:
Batch File Script:
For Import
@echo off
certutil.exe -addstore -f “TrustedPublisher” "C:\Users\19639\Desktop\RestAPI.cer"
certutil.exe -addstore -f -enterprise -user root "C:\Users\19639\Desktop\RestAPI.cer"
Comment- /Import in Trusted Root Certification Authorities/
**For Removing Certificate:**
@echo off
certutil.exe -delstore "TrustedPublisher" "ServerSigningCertificate_0"
certutil.exe -delstore -enterprise -user root "ServerSigningCertificate_0"
Later, I’ve uploaded batch file using Software Distribution wizard.
Action Script:
prefetch c76aa4a2a237eb1473c6c5a02878791b138135ab sha1:c76aa4a2a237eb1473c6c5a02878791b138135ab size:209 http://Server_Name:52311/Uploads/c76aa4a2a237eb1473c6c5a02878791b138135ab/ImplementCertificate.bat.tmp sha256:48681ca3c43266a1787a8c0157cb27cb68d20998869c061794eda3ef5d0b79b1
> extract c76aa4a2a237eb1473c6c5a02878791b138135ab
> wait “{pathname of system folder & “\cmd.exe”}” /Q /C “{(pathname of client folder of current site) & “__Download\ImplementCertificate.bat”}”
Hope this helps 
Did that script work for you via Bigfix?
Is ‘RestAPI.cer’ in your example a signing certificate of some sort or an actual certificate authority certificate?
Typically in an enterprise PKI, the root and issuing CAs’ public keys are trusted (ideally AD GPO if the machines are domain joined or via a certutil or powershell script). The ‘working’ certificate (likely RestAPI.cer in this case) is then issued and/or signed by the trusted issuing CA. If the machines properly trust the CA hierarchy, they will by default trust the certificate issued by them.
Yes, It working with BigFix.
I’ve tested both the way for Self Signing Cert and Actual CA Cert as well.
Can you share the screenshot how the action script was included in bigfix