Windows – Import self-signed certificate with private key on Windows from command prompt

certificatecertutilcommand linessl-certificatewindows server 2012

Using inetmgr, I made a pfx file containing the public and private keys for a certificate. Now I'm trying to install the pfx into another machine from the command prompt with

certutil -p <password> -importpfx root <path_to_pfxfile>

Unfortunately, this is only importing the public key. If I use the certmgr snap-in I can import both keys, but I need to be able to automate this. Can anybody help?

Best Answer

The Import-PfxCertificate PowerShell command will probably do what you want. .

This would import the certificate(s) and keys stored in my.pfx file into the Trusted Root Certificate Authorities certificate store for the local machine.

Import-PfxCertificate –FilePath C:\mypfx.pfx cert:\localMachine\Root -Password $password

You may need to experiment a bit to find the name used for the certificate store of interest. I did this by copying the thumbprint of a certificate in the relevent store from the UI, removing spaces and then running

ls|where {$_.Thumbprint -eq "<thumprint value here, with spaces removed>"}

Which gave me this as part of the output.

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Related Solutions

Windows – Export installed certificate and private key from a command line remotely in Windows using something besides the certmgr.MSC tool

See Stack Overflow question Export certificate from IIS using PowerShell.

If the answer works for you, then you can run PowerShell code on remote server using PSRemoting (Enter-PSSession or Invoke-Command) or psexec.

Does anyone know how to dir the cert store like, "dir cert:\localmachine\my | Where-Object { $_.hasPrivateKey } | " AND then feed that to the certutil export with the thumbprint?

Try this, works for me:

Get-ChildItem -Path 'Cert:\localmachine\My' |
    Where-Object { $_.hasPrivateKey } |
        Foreach-Object {
            &certutil.exe @('-exportpfx', '-p', 'secret',  $_.Thumbprint, "$($_.Subject).pfx")
         }

Beware, that sometimes you wouldn't be able to use Subject as file name, due to invalid foreign-language characters in the Unicode.

Google-chrome – Chrome is not accepting the IIS self-signed certificate

Yes this post is old. Here is the answer:

Why is this happening? The commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients including Internet Explorer. https://www.chromestatus.com/feature/4981025180483584

What do I need to do? You need to issue a web certificate using Certificates MMC console for Computer account and specify the san: attribute.

Refer to the Microsoft article below: https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

Best Answer

Related Solutions

Windows – Export installed certificate and private key from a command line remotely in Windows using something besides the certmgr.MSC tool

Google-chrome – Chrome is not accepting the IIS self-signed certificate

Related Question