How do I import a certificate to the Certstore on remote systems when WinRM is disabled with powershell

Question

How do I import a certificate with Powershell to the Certstore on remote systems when WinRM is disabled in the environment due to security. I have attempted a few work around and all have failed. Please be easy I'm a novice.

I have tried this as a work around and yes I know its the untrusted store.

$cert = getchilditem -path "SharePath.cer"
$server = Get-content ".\servers.txt"
$server | foreach { $cert | import-certificate -CertStoreLocation Cert:LocalMachine\Disallowed

Answer 1

Deploying certificates to computers is probably best accomplished via Group Policy as it is a far more robust and easy to use process.

That being said if you cannot use Group Policy you may be able to use one of several other solutions depending on your target System's OS.

Boe Prox wrote an Import-Certificate function and explanation that uses .Net under the covers to allow imports on remote computers without WinRM or older than Windows 10. Using his solution you can do the following:

$File = "C:\temp\SomeRootCA.cer"    
$Computername = 'Server1','Server2','Client1','Client2'    
Import-Certificate -Certificate $File -StoreName Disallowed -StoreLocation LocalMachine -ComputerName $Computername

If you are on Windows 10 you can use the built in Import-Certificate but this only works for the local system. So you will need to wrap it with Invoke-Command (which requires WinRM) or you can fallback to Invoke-WMIMethod . It's not nearly as friendly to use or work with output, but it will work. This is a working example of executing a function on a remote computer without WinRM. For complex commands you will want to use the - EncodedCommand parameter of powershell.exe .

Copy cert to the remote system to avoid 2 hop issues

Copy-Item "C:\temp\SomeRootCa.cer" "\\Computer1\C$\temp\"

Encode the command we want to use

$encoded = [Convert]::ToBase64String(
               [System.Text.Encoding]::Unicode.GetBytes(
                   {Import-Certificate -FilePath C:\temp\somerootca.cer -CertStoreLocation cert:\localmachine\disallowed}
               )
           )

Spawn a process on the remote computer

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -encodedcommand $encoded" -ComputerName Computer1

You will get output similar to the following on your computer

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 2
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ProcessId        : 8748
ReturnValue      : 0
PSComputerName   :

Note that the return value of 0 indicating success only indicates that powershell was spawned, not that the commands you executed were successful. If you want some logging you will need to bake it into the command you encode

EDIT: Foreach-Object and Get-Content

Get-Content C:\some\file\name\here.txt | Foreach-Object -begin {
    $encoded = [Convert]::ToBase64String(
               [System.Text.Encoding]::Unicode.GetBytes(
                   {Import-Certificate -FilePath C:\temp\somerootca.cer -CertStoreLocation cert:\localmachine\disallowed}
               )
           )
} -process {
    if(Test-Connection $_ -quiet){
        Copy-Item "C:\temp\SomeRootCa.cer" "\\$_\C$\temp\"
        Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -encodedcommand $encoded" -ComputerName $_
    }
}

Please do not copy/pasta this into a production environment. Read it and understand what is happening. Use the ISE to debug portions of the functions and piece it together bit by bit.

Also note that SO is not a code writing service if you don't do a minimum amount of research (ie Get-Content and Foreach-Object) and show a SSCCE your questions are likely to be flagged as off topic and closed.