Import pfx file into particular certificate store from command line
Solution 1
Anchoring my findings here for future readers.
Import certificate to Trusted Root Certification Authorities on Local Machine:
CERTUTIL -addstore -enterprise -f -v root "somCertificat.cer"
Import pfx to Personal on local machine
CERTUTIL -f -p somePassword -importpfx "somePfx.pfx"
Import pfx to Trusted People on local machine - Link to importpfx.exe
importpfx.exe -f "somePfx.pfx" -p "somePassword" -t MACHINE -s "TRUSTEDPEOPLE"
Import certificate to Trusted People on local machine
Certutil -addstore -f "TRUSTEDPEOPLE" "someCertificate.cer"
Solution 2
To anyone else looking for this, I wasn't able to use certutil -importpfx
into a specific store, and I didn't want to download the importpfx tool supplied by jaspernygaard's answer in order to avoid the requirement of copying the file to a large number of servers. I ended up finding my answer in a powershell script shown here.
The code uses System.Security.Cryptography.X509Certificates
to import the certificate and then moves it into the desired store:
function Import-PfxCertificate {
param([String]$certPath,[String]$certRootStore = "localmachine",[String]$certStore = "My",$pfxPass = $null)
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
if ($pfxPass -eq $null)
{
$pfxPass = read-host "Password" -assecurestring
}
$pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
}
Solution 3
Check these links: http://www.orcsweb.com/blog/james/powershell-ing-on-windows-server-how-to-import-certificates-using-powershell/
Import-Certificate: http://poshcode.org/1937
You can do something like:
dir -Path C:\Certs -Filter *.cer | Import-Certificate -CertFile $_ -StoreNames AuthRoot, Root -LocalMachine -Verbose
Solution 4
For Windows 10:
Import certificate to Trusted Root Certification Authorities for Current User:
certutil -f -user -p oracle -importpfx root "example.pfx"
Import certificate to Trusted People for Current User:
certutil -f -user -p oracle -importpfx TrustedPeople "example.pfx"
Import certificate to Trusted Root Certification Authorities on Local Machine:
certutil -f -user -p oracle -enterprise -importpfx root "example.pfx"
Import certificate to Trusted People on Local Machine:
certutil -f -user -p oracle -enterprise -importpfx TrustedPeople "example.pfx"
Solution 5
With Windows 2012 R2 (Win 8.1) and up, you also have the "official" Import-PfxCertificate cmdlet
Here are some essential parts of code (an adaptable example):
Invoke-Command -ComputerName $Computer -ScriptBlock {
param(
[string] $CertFileName,
[string] $CertRootStore,
[string] $CertStore,
[string] $X509Flags,
$PfxPass)
$CertPath = "$Env:SystemRoot\$CertFileName"
$Pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
# Flags to send in are documented here: https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags%28v=vs.110%29.aspx
$Pfx.Import($CertPath, $PfxPass, $X509Flags) #"Exportable,PersistKeySet")
$Store = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $CertStore, $CertRootStore
$Store.Open("MaxAllowed")
$Store.Add($Pfx)
if ($?)
{
"${Env:ComputerName}: Successfully added certificate."
}
else
{
"${Env:ComputerName}: Failed to add certificate! $($Error[0].ToString() -replace '[\r\n]+', ' ')"
}
$Store.Close()
Remove-Item -LiteralPath $CertPath
} -ArgumentList $TempCertFileName, $CertRootStore, $CertStore, $X509Flags, $Password
Based on mao47's code and some research, I wrote up a little article and a simple cmdlet for importing/pushing PFX certificates to remote computers.
Here's my article with more details and complete code that also works with PSv2 (default on Server 2008 R2 / Windows 7), so long as you have SMB enabled and administrative share access.
Bob Tway
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." Stack Overflow appears to be a vast experiment to prove the truth of this statement.
Updated on January 05, 2022Comments
-
Bob Tway over 2 years
It's relatively easy to import a certificate into the user's personal store from a pfx file by using CertUtil:
certutil –f –p [certificate_password] –importpfx C:\[certificate_path_and_name].pfx
But this ends up in the Personal Store of the current user. I need it in TrustedPeople on LocalMachine.
Is there any way I can do this from the command line, either by calling different arguments on certutil importpfx, using another certutil command or a different utility? Powershell is another possibility, although I don't know much about it.
Cheers, Matt
-
Simon Gillbee over 10 yearsIt is frustrating that CERTUTIL cannot import a PFX to TRUSTEDPEOPLE. CertUtil works fine with a remote PSSession (PowerShell), but importpfx does not (FYI, source to importpfx is home.fnal.gov/~jklemenc/src/importpfx.cpp). I'm not sure what CERTUTIL is doing differently, but it does work with remote PS sessions, but I cannot place the cert in Trusted People. Sigh. A very frustrating couple of days.
-
jaspernygaard almost 10 yearsWe ended up writing a set of powershell functions, to do the hard work. Look at CiPsLib.Certificates.psm1 -> Import-Certificate github.com/rasmus/CiPsLib/tree/master/tools
-
Ravi Khambhati almost 9 yearscan you please help me understand values and its meaning. "MaxAllowed", "My",
-
mao47 almost 9 years@RaviKhambhati: My is the name of the cert store I'm using. see msdn.microsoft.com/en-us/library/windows/desktop/… for some more info about cert store locations. MaxAllowed is the value of the OpenFlags I am using to open. I honestly just copied and pasted that part, but you can learn more about it's possible values here: msdn.microsoft.com/en-us/library/…
-
Ravi Khambhati almost 9 yearsThanks a lot. When we do the same operation from IIS what will be these values
-
Enamul Hassan over 8 yearsWhilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
-
drgmak about 8 yearsHow can i import without using a password? Is it possible?
-
Frode Nilsen about 8 years@drgmak, if the certificate is protected with an empty password you use -p "". If it is password protected you need to know the password.
-
AQuirky over 6 yearsI was really struggling to add a user certificate to a new store. The last example worked for me. Note: if you use a store name (e.g. "ABC") instead of "TrustedPeople" the store will be created! There is no need to use the -addstore argument to add a store...this is the thing that I was stuck on.
-
brianary over 6 yearsYou probably want the import flags to be
"Exportable,MachineKeySet,PersistKeySet"
in order to get the private key into the machinekeys, rather than into the current users' profile. -
recolic over 2 yearsYour code is literally wrong. You're using non-ASCII
“
, which cause undefined behavior in powershell. It may randomly fail, on randomly line, with random reason, in the farking unreliable powershell parser. -
mao47 over 2 yearsI've adjusted it @recolic. I'm not sure if that worked in my environment or if I had fixed it but forgot to come update this answer.