Access Denied Importing Certificate on Remote Machine


I'm trying to come up with a way to push out a certificate for install on multiple machines. The method I came up with is:

Invoke-Command ServerName {Import-Certificate -FilePath "path" ` 
CertStoreLocation Cert:\LocalMachine\Root}

And I get:

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    + CategoryInfo          : NotSpecified (:) [Import-Certificate], Exception
    + FullyQualifiedErrorID : System.Exception,Microsoft.CertificationServices.Commands.ImportCertificateCommand
    + PSComputerName        : ServerName

I'm running my local PowerShell as administrator, and my account is an administrator on the target machine. And I have verified that I can install certificates.

EDIT: If I log onto the target machine and run the code in the {}'s it works fine, but only if I Run As Administrator. So while on my machine I'm launching as Administrator, it doesn't seem to be translating that over to the target.

asked on Server Fault Nov 2, 2015 by EAndrus • edited Nov 7, 2015 by EEAA

2 Answers


The problem you are running into is the second-hop credential passing with PowerShell remoting. See excerpt directly below from the article I linked.

The first hop was from your client to ServerA. The second is from ServerA to the other machine to which you’re trying to connect. The problem arises because your credentials can’t be delegated a second time.

That’s actually a security feature, designed to prevent your credential from being passed around without your knowledge. So your second hop operation fails, because ServerA isn’t able to send any credentials along for the ride.

There are some ways around this, namely to copy the cert file locally to the server you are importing it first, which you have already stated works without issue.

You can also use CredSSP for second-hop remoting.

answered on Server Fault Nov 3, 2015 by bentek

You can also distribute certificates to the trusted roots store (and other stores) via GPO. Using this method has the advantage of the proper certs being in place on new machines as they are built and joined to the domain.

Right click the store name, import the public key file, link the GPO, wait 90 minutes for GPO to refresh on the targets.


answered on Server Fault Nov 3, 2015 by Clayton • edited Nov 3, 2015 by Clayton

User contributions licensed under CC BY-SA 3.0