Enroll user's certificates for another user on the same machine

Question

If I'm logged in as a normal user, how can I download/enroll user's certificates for another user (on the same machine)? This can be done using runas command but can't figure out exactly.

Please check if this article was helpful to you: [Enroll for Certificates on Behalf of Other Users](https://forsenergy.com/en-us/certmgr/html/211b51a2-999a-43c0-86ac-92a32cbe1dd2.htm) — Sunny, Jan 06 '21 at 09:36

SimonS · Answer 1 · 2021-01-10T15:21:53.530

You can do the following:

Start PowerShell as Administrator
Do Enter-PSSession localhost -Credential (Get-Credential) and enter the credentials of the user that you want to add certificates on. (This may need a set up WinRM Service, use Enable-PSRemoting if you haven't have a running WinRM Service)
Now you're in a PowerShell Session as the other user and can use Import-Certificate and Import-PfxCertificate etc. to add your Certificates for that user.

You can Check if it works by cd-ing and gci-ing around in the Cert: PSProvider after you imported the certs, they should be listed there. here's an example:

[localhost]: PS C:\Users\adminsystem\Documents> cd Cert:
[localhost]: PS Cert:\> cd CurrentUser
[localhost]: PS Cert:\CurrentUser> cd My
[localhost]: PS Cert:\CurrentUser\My> gci


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
F0BD97B4EC6CD8B71C35631738259CF9F2E54381  CN=Adobe Content Certificate 10-5, OU=Cloud Technology, O=Adobe Systems, L=San Jose, S=California, C=US
D1DF7F06B769BCCB3F4479041EC1F06E9CD3CB1A  CN=Adobe Intermediate CA 10-3, OU=Cloud Technology, O=Adobe Systems, L=San Jose, S=California, C=US

or, instead of entering a PSSession (even though I feel this is very comfortable for this task), you can do it directly with Invoke-Command (from an elevated PowerShell)

Invoke-Command -ComputerName localhost { Import-Certificate ... } -Credential (Get-Credential)

The third way - and the only way that works as a normal user is to simply start a new PowerShell as another user

start powershell -credential (Get-Credential)

and then do the cert import there.

Thank you for the wonderful solution. But I need to perform this task without administrative privileges. I want my normal user to enrol another user without the need of admin privileges. So workaround on powershell runas commands would be much appreciated. — Stackbe, Jan 10 '21 at 12:47

Stackbe · Accepted Answer · 2021-01-25T11:32:10.380

1

In addition, I found the following option which can be done by normal users too.

In the PowerShell, use the following commands to run another user's PowerShell
```
runas /user:<domain>\<username> powershell
```
(this will prompt for the user's password)
On the user's PowerShell type certmgr and enrol the certificates for the user.

edited Jan 25 '21 at 11:32

answered Jan 25 '21 at 11:23

Stackbe

61
1
5

Enroll user's certificates for another user on the same machine

2 Answers2