Using Invoke-Command to Import-Certificate gives Access Denied


New to this forum and new to PowerShell scripting. I am trying to build a script that will export a certificate from one system and import it to another. Here is the typical scenario…

We will have several systems (clients) that run software that require a certificate. The certificate is generated when one of the component services is installed.started. Our back office system communicates with these client system, but to do so, it requires the certificates from the clients to be imported into the certificates store.

The script runs on each client system. It checks to see if the .CER file has already been created. If not, it creates the cert and then attempts an Invoke-Command to the back office system with a scriptblock that does the following.

Import-Certificate -FilePath -CertStoreLocation cert:\CurrentUser\TrustedPeople

The error I receive back from the back office system is:

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
+ CategoryInfo : NotSpecified: (:slight_smile: [Import-Certificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.ImportCe
+ PSComputerName : BACKOFFICE

Now if I go to the back office system and run the Import-Certificate command pointing to the .CER file on the client, it imports the certificate just fine.

I have done the Invoke-Command going from Client->BackOffice and from BackOffice->Client and both are able to execute commands remotely.

So, what might be casunig this “Access is Denied” error. I could always write another script that sits on the BackOffice system and runs the Import-Cert locally, but I’d really prefer that the clients push the certificate to the BackOffice system.

Thank In Advance for any help.


Is the .CER file on a network share? If so, you may be running into the “second hop” problem of remoting. There are many ways to get around this, but the simplest (and generally most secure) is to avoid the need for a second hop in the first place. For example, you could copy the .cer file to a temporary location on the remote computer before you run Invoke-Command (and then use a local path on the target computer when you refer to the .cer file.)


Yes, the CER file is in a shared folder being accessed via a UNC path. I’ll try your suggestion and get back to you.




Thanks for the suggestion. It worked great. Copied the file to the BackOffice system and ran the Import on the local file instead. Cert imported fine.

Thanks again…