It's relatively easy to import a certificate into the user's personal store from a pfx file by using CertUtil:
certutil –f –p [certificate_password] –importpfx C:\[certificate_path_and_name].pfx
But this ends up in the Personal Store of the current user. I need it in TrustedPeople on LocalMachine.
Is there any way I can do this from the command line, either by calling different arguments on certutil importpfx, using another certutil command or a different utility? Powershell is another possibility, although I don't know much about it.
Cheers, Matt
This question is related to
powershell
certificate
certutil
Anchoring my findings here for future readers.
Import certificate to Trusted Root Certification Authorities on Local Machine:
CERTUTIL -addstore -enterprise -f -v root "somCertificat.cer"
Import pfx to Personal on local machine
CERTUTIL -f -p somePassword -importpfx "somePfx.pfx"
Import pfx to Trusted People on local machine - Link to importpfx.exe
importpfx.exe -f "somePfx.pfx" -p "somePassword" -t MACHINE -s "TRUSTEDPEOPLE"
Import certificate to Trusted People on local machine
Certutil -addstore -f "TRUSTEDPEOPLE" "someCertificate.cer"
For Windows 10:
Import certificate to Trusted Root Certification Authorities for Current User:
certutil -f -user -p oracle -importpfx root "example.pfx"
Import certificate to Trusted People for Current User:
certutil -f -user -p oracle -importpfx TrustedPeople "example.pfx"
Import certificate to Trusted Root Certification Authorities on Local Machine:
certutil -f -user -p oracle -enterprise -importpfx root "example.pfx"
Import certificate to Trusted People on Local Machine:
certutil -f -user -p oracle -enterprise -importpfx TrustedPeople "example.pfx"
Here is the complete code, import pfx, add iis website, add ssl binding:
$SiteName = "MySite"
$HostName = "localhost"
$CertificatePassword = '1234'
$SiteFolder = Join-Path -Path 'C:\inetpub\wwwroot' -ChildPath $SiteName
$certPath = 'c:\cert.pfx'
Write-Host 'Import pfx certificate' $certPath
$certRootStore = “LocalMachine”
$certStore = "My"
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import($certPath,$CertificatePassword,"Exportable,PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.Open('ReadWrite')
$store.Add($pfx)
$store.Close()
$certThumbprint = $pfx.Thumbprint
Write-Host 'Add website' $SiteName
New-WebSite -Name $SiteName -PhysicalPath $SiteFolder -Force
$IISSite = "IIS:\Sites\$SiteName"
Set-ItemProperty $IISSite -name Bindings -value @{protocol="https";bindingInformation="*:443:$HostName"}
if($applicationPool) { Set-ItemProperty $IISSite -name ApplicationPool -value $IISApplicationPool }
Write-Host 'Bind certificate with Thumbprint' $certThumbprint
$obj = get-webconfiguration "//sites/site[@name='$SiteName']"
$binding = $obj.bindings.Collection[0]
$method = $binding.Methods["AddSslCertificate"]
$methodInstance = $method.CreateInstance()
$methodInstance.Input.SetAttributeValue("certificateHash", $certThumbprint)
$methodInstance.Input.SetAttributeValue("certificateStoreName", $certStore)
$methodInstance.Execute()
Check these links: http://www.orcsweb.com/blog/james/powershell-ing-on-windows-server-how-to-import-certificates-using-powershell/
Import-Certificate: http://poshcode.org/1937
You can do something like:
dir -Path C:\Certs -Filter *.cer | Import-Certificate -CertFile $_ -StoreNames AuthRoot, Root -LocalMachine -Verbose
In newer version of windows the Certuil has [CertificateStoreName] where we can give the store name. In earlier version windows this was not possible.
Installing *.pfx certificate: certutil -f -p "" -enterprise -importpfx root ""
Installing *.cer certificate: certutil -addstore -enterprise -f -v root ""
For more details below command can be executed in windows cmd. C:>certutil -importpfx -? Usage: CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]
With Windows 2012 R2 (Win 8.1) and up, you also have the "official" Import-PfxCertificate cmdlet
Here are some essential parts of code (an adaptable example):
Invoke-Command -ComputerName $Computer -ScriptBlock {
param(
[string] $CertFileName,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$CertPath = "$Env:SystemRoot\$CertFileName"
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
# Flags to send in are documented here: https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags%28v=vs.110%29.aspx
$Pfx.Import($CertPath, $PfxPass, $X509Flags) #"Exportable,PersistKeySet")
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[\r\n]+', ' ')"
}
$Store.Close()
Remove-Item -LiteralPath $CertPath
} -ArgumentList $TempCertFileName, $CertRootStore, $CertStore, $X509Flags, $Password
Based on mao47's code and some research, I wrote up a little article and a simple cmdlet for importing/pushing PFX certificates to remote computers.
Here's my article with more details and complete code that also works with PSv2 (default on Server 2008 R2 / Windows 7), so long as you have SMB enabled and administrative share access.
To anyone else looking for this, I wasn't able to use certutil -importpfx
into a specific store, and I didn't want to download the importpfx tool supplied by jaspernygaard's answer in order to avoid the requirement of copying the file to a large number of servers. I ended up finding my answer in a powershell script shown here.
The code uses System.Security.Cryptography.X509Certificates
to import the certificate and then moves it into the desired store:
function Import-PfxCertificate {
param([String]$certPath,[String]$certRootStore = “localmachine”,[String]$certStore = “My”,$pfxPass = $null)
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
if ($pfxPass -eq $null)
{
$pfxPass = read-host "Password" -assecurestring
}
$pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
}
Source: Stackoverflow.com