none
Import pfx certificate to Service Account from my account. RRS feed

  • Question

  • Overview:

    I'm working on a Project where my .bat script would run the SSIS package that will load the data into the database. The database has been encrypted using Always Encrypted method and the security certificate was generated under my account. Now we need to use this certificate to allow the Service Account(a domain account) to run this bat script as scheduled.

    Currently when I run the job using the service account via Scheduler it is failing, as per vendor the reason for the failure is due to that account (Service Account) missing the certificate.

    Now I would appreciate if someone can guide me on how to move the .pfx certificate from my account to the Service account.

    So far I have tried the following command and it is failing as below:

    D:\>certutil -f -user cpg-gpc\ServiceAccount -p 'itLcX69W$' -importpfx "MY_CERT.pfx" NOROOT,NOEXPORT

    Result:

    Expected no more than 1 args, received 6
    CertUtil: Too many arguments

    Usage:
      CertUtil [Options] [-dump]
      CertUtil [Options] [-dump] File
      Dump configuration information or files

    Options:
      -f                -- Force overwrite
      -user             -- Use HKEY_CURRENT_USER keys or certificate store
      -Unicode          -- Write redirected output in Unicode
      -gmt              -- Display times as GMT
      -seconds          -- Display times with seconds and milliseconds
      -silent           -- Use silent flag to acquire crypt context
      -split            -- Split embedded ASN.1 elements, and save to files
      -v                -- Verbose operation
      -privatekey       -- Display password and private key data
      -pin PIN                  -- Smart Card PIN
      -p Password               -- Password
      -t Timeout                -- URL fetch timeout in milliseconds
      -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
                22 -- Local System
                23 -- Network Service
                24 -- Local Service

    CertUtil -?              -- Display a verb list (command list)
    CertUtil -dump -?        -- Display help text for the "dump" verb
    CertUtil -v -?           -- Display all help text for all verbs

    Any help is appreciated


    • Edited by Shaddy_1 Monday, March 12, 2018 8:08 PM
    Monday, March 12, 2018 7:14 PM

Answers

  • Hi,

    I was able to resolve this issue with some help from the vendor, hope this can help others.

    Steps:

    1. Create a Task in Scheduler to run the bat script that wil run the job, make sure to enter the username for the service account that you want the job to run under.
    2. Open the bat file and enter the following command on first line:

    D:/Path/to/certificate.pfx  <--Path where the certificate is located.
    certutil -f -user -p "CertificatePassword" -importpfx CertificateName.pfx NoRoot <--Change CertificatePassword and CertificateName only.

    3. Run the Scheduled task and verify the success.
    4. Remove the lines you added in the bat file in step 2.
    5. Run the task again and verify success.

    • Marked as answer by Shaddy_1 Tuesday, March 13, 2018 5:35 PM
    Tuesday, March 13, 2018 5:35 PM

All replies

  • Hi,

    I was able to resolve this issue with some help from the vendor, hope this can help others.

    Steps:

    1. Create a Task in Scheduler to run the bat script that wil run the job, make sure to enter the username for the service account that you want the job to run under.
    2. Open the bat file and enter the following command on first line:

    D:/Path/to/certificate.pfx  <--Path where the certificate is located.
    certutil -f -user -p "CertificatePassword" -importpfx CertificateName.pfx NoRoot <--Change CertificatePassword and CertificateName only.

    3. Run the Scheduled task and verify the success.
    4. Remove the lines you added in the bat file in step 2.
    5. Run the task again and verify success.

    • Marked as answer by Shaddy_1 Tuesday, March 13, 2018 5:35 PM
    Tuesday, March 13, 2018 5:35 PM
  • Ofcourse if you not running it on a number of servers (too time consuming), then you could just use GUI to import that certificate to the service account personal store
    • Edited by scerazy Saturday, January 25, 2020 5:35 PM
    Saturday, January 25, 2020 5:34 PM