Using Invoke-Command to Import-Certificate gives Access Denied

This topic contains 3 replies, has 2 voices, and was last updated by  Shawn Campbell 3 years, 8 months ago.

  • Author
  • #18990

    Shawn Campbell


    New to this forum and new to PowerShell scripting. I am trying to build a script that will export a certificate from one system and import it to another. Here is the typical scenario...

    We will have several systems (clients) that run software that require a certificate. The certificate is generated when one of the component services is installed.started. Our back office system communicates with these client system, but to do so, it requires the certificates from the clients to be imported into the certificates store.

    The script runs on each client system. It checks to see if the .CER file has already been created. If not, it creates the cert and then attempts an Invoke-Command to the back office system with a scriptblock that does the following.

    Import-Certificate -FilePath -CertStoreLocation cert:\CurrentUser\TrustedPeople

    The error I receive back from the back office system is:

    Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    + CategoryInfo : NotSpecified: (:) [Import-Certificate], Exception
    + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.ImportCe
    + PSComputerName : BACKOFFICE

    Now if I go to the back office system and run the Import-Certificate command pointing to the .CER file on the client, it imports the certificate just fine.

    I have done the Invoke-Command going from Client->BackOffice and from BackOffice->Client and both are able to execute commands remotely.

    So, what might be casunig this "Access is Denied" error. I could always write another script that sits on the BackOffice system and runs the Import-Cert locally, but I'd really prefer that the clients push the certificate to the BackOffice system.

    Thank In Advance for any help.


  • #18991

    Dave Wyatt

    Is the .CER file on a network share? If so, you may be running into the "second hop" problem of remoting. There are many ways to get around this, but the simplest (and generally most secure) is to avoid the need for a second hop in the first place. For example, you could copy the .cer file to a temporary location on the remote computer before you run Invoke-Command (and then use a local path on the target computer when you refer to the .cer file.)

  • #18992

    Shawn Campbell


    Yes, the CER file is in a shared folder being accessed via a UNC path. I'll try your suggestion and get back to you.



  • #18993

    Shawn Campbell


    Thanks for the suggestion. It worked great. Copied the file to the BackOffice system and ran the Import on the local file instead. Cert imported fine.

    Thanks again...


You must be logged in to reply to this topic.