我已经尝试使用Invoke-Command进行Import-PfxCertificate,但我认为它需要首先在远程服务器上复制证书文件。我还认为它需要委派凭据。
根据以下链接,.Net类不支持“CurrentUser” -
“在这两个证书存储位置中,只能通过.NET类远程访问LocalMachine。由于安全原因,尝试访问CurrentUser将导致”拒绝访问“消息。”
有没有办法使用PowerShell实现这一目标?
答案 0 :(得分:2)
您可以使用PSSession步入远程PC。
Enter-PSSession -ComputerName RemoteSystem
#...Prompt changes and commands are now executing on the remote sysem
#change the store location to the appropriate store you'd like to put the CERT
Import-PFXCertificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath \\server\path\to\cert.pfx
Exit-PSSession
这将是最简单的方法,以及必须在定位系统上执行的任何其他命令。
如果您需要在大量系统的脚本中执行此操作:
$computers = #get a bunch of computers, either a txt file, csv or whatever
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
#Commands below this point will execute remotely
Import-PFXCertificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath \\server\path\to\cert.pfx
Exit-PSSession
}
完成!
答案 1 :(得分:0)
我在上述解决方案中遇到了双跳身份验证问题。下面的代码对我来说效果很好。希望能帮助到你! :)
[byte[]]$Pfxinbyts = Get-Content "$FullPathWithFileName.pfx" -Encoding byte
Invoke-Command -Session $session -ScriptBlock {
param(
[byte[]] $PFXCertInByte,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Pfx.Import([byte[]]$PFXCertInByte, $PfxPass, $X509Flags)
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[\r\n]+', ' ')"
}
$Store.Close()
} -ArgumentList $Pfxinbyts, "LocalMachine", "My", "Exportable,PersistKeySet", $PFXPassword