Quick Thoughts

Adding Intermediate Certificate via PowerShell (and SCCM)

Ran into this issue at work and wanted to do a quick write up on it. We ran into an issue where a vendor gave us a new cert to push to all our machines but in the age of some staff now being full remote and using VPN, we weren't hitting all of them with a GPO.

See, the GPO for adding a certificate has worked well for years. As I understand it, there is a portion of the group policy that runs during the gpupdate process, so users would begin to see that. However, the certificate doesn't actually show up in the certificate store until a reboot and fresh logon while connected to the network. Given that our VPN solution starts after user logon, this part never happens.

So the GPO will take care of users in our physical locations, but not the ones working remotely. This is where I turned to SCCM (it's called MECM now, but old habits die hard).

I first started by creating a PowerShell script to import the certificate into the store I wanted, in this case, the Intermediate Certification Authority store. But in order to do this I had to get the actual name of the store. I was able to do this by performing the following steps.

  1. Open PowerShell as administrator
  2. Run the following command to enter the certificate store within Windows
set-location cert:
  1. Next, you have two choices. You can either browse the user certificate store or you can browse the local machine store.

To browse the local machine store

dir LocalMachine

To browse the user store

dir CurrentUser

You can then use the cd command to enter either of these folders and use dir just like you would to browse files.

In my case, the name of the store I needed is LocalMachine\CA. So my PowerShell script looks like this. Note that this script assumes the certificate is in the same directory as the script.

Import-Certificate -FilePath ".\YOUR_CERT_NAME.crt" -CertStoreLocation Cert:\LocalMachine\CA

Once you have your script saved somewhere, it's just a matter of making a package in SCCM and using the following command to run the package.

powershell.exe -ExecutionPolicy Bypass -File .\your_script.ps1