Windows – Importing .PEM certificates on Windows 7 on the command line

certificatecommand linewindowswindows 7

I need to import a PEM certificate on a massive number of freshly installed Windows 7 Enterprise machines.

Normally, I would do it through MMC → Certificates (Local Computer) snap-in → Trusted Root Certificates → Import, but I need to speed things up. Therefore, I'd like to use only the command prompt.

With certmgr.exe (not certmgr.msc!), I would type:

certmgr.exe -add -c C:\certificate.pem -s -r localMachine root

The problem is that certmgr.exe does not exist in Windows 7. How then can I add a certificate from the command line?

Best Answer

You need to use certutil.exe instead:

certutil –addstore -enterprise –f "Root" <pathtocertificatefile>

will add the certificate to the Trusted Root Certification Authorities store.

If you want to add an Intermediate Certification Authority, replace Root with CA and to add to your Personal store, change it to My.

All the above adds the certificate to the Local Computer store. To add to the User store remove the -enterprise from the command line:

certutil –addstore –f "Root" <pathtocertificatefile>

The -f in the command simply forces an overwrite in the case where the certificate is already installed.

Related Solutions

Windows 7 Certificate Manager Snap-In without access to MMC

Go to Control Panel (icon view) > Internet Options > Content Tab > Certificates button > Trusted Root Certificate tab

Then use the import button.

. enter image description here

Depending on the format of the certificate the user may need to select the proper certificate type from the drop down box before it can be seen.

. enter image description here

Windows – Export installed certificate and private key from a command line remotely in Windows using something besides the certmgr.MSC tool

See Stack Overflow question Export certificate from IIS using PowerShell.

If the answer works for you, then you can run PowerShell code on remote server using PSRemoting (Enter-PSSession or Invoke-Command) or psexec.

Does anyone know how to dir the cert store like, "dir cert:\localmachine\my | Where-Object { $_.hasPrivateKey } | " AND then feed that to the certutil export with the thumbprint?

Try this, works for me:

Get-ChildItem -Path 'Cert:\localmachine\My' |
    Where-Object { $_.hasPrivateKey } |
        Foreach-Object {
            &certutil.exe @('-exportpfx', '-p', 'secret',  $_.Thumbprint, "$($_.Subject).pfx")
         }

Beware, that sometimes you wouldn't be able to use Subject as file name, due to invalid foreign-language characters in the Unicode.

Best Answer

Related Solutions

Windows 7 Certificate Manager Snap-In without access to MMC

Windows – Export installed certificate and private key from a command line remotely in Windows using something besides the certmgr.MSC tool

Related Question