Software Deployment

Two clues:user mode and localMachine root and a hint, viz. your users are unlikely to have local administrator rights.

You mean to say that, i should install the certificate in "CurrentUser" mode. In that case i need to make sure that the cmd is executed for everyuser.

Did i understand your point or i missed any point?

Thnx
DN

If you do that, you need to use a different "root". MSDN will have the details. Search there for 'certmgr'. Alternatively - and better - install it in System context using the command line you have and it'll be installed for the machine, in other words, all users.

I am dealing with a simular issue where I have created my 2 certificates and need to add them as CAs into my MSI.
I had the certmgr.exe in the binary so my CA source linked to the certmgr in the bonary table and the Type is 3074.
Target was -add c:\temp\abc.cer -c -s -r LocalMachine TrustedPublisher

Works fine using the /qn switch "although" I see a couple of cmd windows popup and exit very quickly.
Therefore, via SCCM deployment testing....the package did not work....and I suspected it would not work too.
Testing via psexec -i -s cmd to execute cmd as system context.

I am trying another method....but I am suspicious.
Add the certmgr in the c:\windows dir.
The CA will use the SystemFolder in the Source - call cmd.exe /c c:\windows\certmgr.exe -add c:\temp\abc.cer -c -s -r LocalMachine TrustedPublisher
Type 3106

Am I going about it in the right way....not sure?

@ tron2ole - If you are doing installation of machine based Certificate then it'll work fine.

you can also use type : 1106 CA

For Example:

CustomAction Table-

PublicPrimaryCertificate | 1106 | certmgr.exe | -add -c "[INSTALLDIR]Verisign Class 1 Public Primary CA - G3.cer" -s -r LocalMachine ROOT
IndividualSubscriberCertificate | 1106 | certmgr.exe | -add -c "[INSTALLDIR]Verisign Class 1 Individual Subscriber CA - G3.cer" -s -r LocalMachine CA

Cheers I will give it a shot.....[;)]

If it helps,
I used: 'certutil -dspublish -f "SomeCertificateCA.cer" NTAuthCA'. To achieve the same thing.

Worked without issue running both from psexec cmd as system and from SCCM.

Cheers
Rich

[8|]
WOW - I thought that I would just add the two blob registry keys: HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\
So the MSI only contains those two reg keys....installs fine and tested in system context....
In SCCM....does not deploy the reg keys....weird.....
I am now added the keys in a script and added as a CA in the MSI to test....strange though....
Could be one to be thrown to the SCCM forum....

And the verbose log - which of course you specified in your command line - tells you......what?

The MSI verbose log was fine - no errors as the package actually installs - just no reg keys via SCCM but SCCM deployment.
The SCCM log showed an entry:The code is inconsistent with the package cache....
Anyway....the CA with the registry keys worked fine....