I have a self-signed .cer certificate that I need to deploy to roughly a 1000 machines, running a variety of Windows versions from Windows XP and Server 2003 up to Windows 7 and Server 2008 R2.
SCCM is our normal deployment method, and have tried deploying these a few different ways and am bumping against the fact that either not all the required tools are available on all OS's or I'm just getting error messages on the automatic deployment that I don't see running them manually.
The most cross-platform friendly method that I've found is to grab a copy of CertUtil.exe and certadm.dll from a copy of XP SP3 that has the admin tools installed and drop that in the same folder as the .cer file, then use the following command lines in a batch file:
certutil.exe -addstore TrustedPublisher cert.cer
certutil.exe -addstore root cert.cer
This works fine manually running the batch file, but comes back with a variety of errors running it automatically.
Is there a better way to do this cross Windows platforms?
As you have that many machines it seems reasonable to assume you're use an AD domain, in which case you can push the certs out using Group Policy Objects. There are numerous articles describing the steps, such as this one from Technet.
Following clues from this prior question import certificate using command line in Win XP Home, and a fair bit of playing around, now have this consistently deploying across OS's.
Have extracted the following files from the 32-bit Win Server 2003 SP2 Admin Pack (KB340178) and saved together with the certificate in a folder on the packages source in SCCM:
Now ditching the batch file and creating two separate programs in SCCM with the following two command lines (both chained together into the one advert) it all seems to be working as an automated rollout across the OS's.
certutil.exe -addstore TrustedPublisher cert.cer
certutil.exe -addstore root cert.cer