Certificate Deployment with SCCM

Certificate Discovery Script:
$sn = '‎590000000ad02bb70017be36f700000000000a'
$storeName = "TrustedPublisher"
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store $storeName, LocalMachine
Write-Host (@( ($store.Certificates | where {$_.SerialNumber -eq $sn}) ).count)

Simply replace the value of the $sn variable in the above script with the actual serial number of the certificate you are installing (unless you really want to check for the code signing certificate in my lab). You can easily grab this from the Details tab of the Certificate dialog in the MMC Certificates snap-in. Just copy and paste it (get rid of the intermediate spaces though).

Also, replace the value the $storeName variable if necessary. The script above checks for certificates in the Trusted Publisher store. Other possible values include My for the Personal store and Root for the Trusted Root Certificate Authorities store.

Alternatively, run the following script to list the serial number from all of the certificates in the given store:

Get Certificate Serial Numbers:
$storeName = "TrustedPublisher"
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store $storeName, LocalMachine
$store.certificates | select Subject, SerialNumber

For the compliance rule, select Value as the Rule type, change the operator to Greater than or equal to, and then set the value to 1.

The Remediation Script

If all we wanted was to check for compliance we could stop here, but we also want to add the certificate to the appropriate store which requires a Remediation Script.

Certificate Remediation Script:
$storeName = "TrustedPublisher"
$certString = "--Insert Base64 encoded certificate here--"
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store $storeName, LocalMachine
$certByteArray = [System.Convert]::FromBase64String($certString)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

Just like with the discovery script, update the $storeName variable appropriately. For the $certString variable, open the base64 encoded certificate file that you exported above in notepad, and then copy and paste the complete text from between the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– markers as the value replacing the –Insert Base64 encoded certificate here– text shown above. Don’t worry about the new lines, the underlying API is smart enough to deal with those.

Alternatively, if you already have the certificate in a DER encoded binary file, you can forego exporting it. To get the base64 representation of the certificate from a DER encoded binary file, run the following (replacing the values of the Path and FilePath parameters as is appropriate). This will output the base64 representation into the specified text file where you can copy and paste it from.

Get Base64 Representation of a Certificate:
[System.Convert]::ToBase64String($(Get-Content -Path .\mycertificate.cer -Encoding Byte)) | Out-File -FilePath .\mycertificate.txt

Copy the edited script into your configuration item as the Remediation Script choosing PowerShell as the language.

Finally, add the configuration item to a compliance baseline and deploy. Make sure that you choose Run the specified script when this setting is noncompliant on the Compliance Rule you created before (this checkbox doesn’t show up until after you add a Remediation Script to the setting) and Remediate noncompliant rules when supported when creating the deployment.


Leave a Reply

Your email address will not be published. Required fields are marked *