10

Is there any way to add certificate to Local Computer's Trusted Root Certification Authority using command line? I tried using certmgr.exe, it shows success but when i check root CA, i don't see my certificate there.

I followed the guide here:

http://msdn.microsoft.com/en-us/library/ms172241.aspx

Basically trying this command:

certmgr.exe -add -c mycertificate.cer -s -r localMachine root

The command works and shows success on command line, but i can not see the certificate in actual trusted root store through mmc, Is it the procedure for self signed certificate is different? I have setup an IIS server with SSL Binding to this certificate which is originally placed in "MY" store. But im doing everything through autoamted scripts so i want to know how can i add this certificate to trusted root CA using cmd line option??

Johnydep
  • 1,075
  • 5
  • 13
  • 18
  • What were the actual command line options you used with CertMgr.exe? What (user) context is are the scripts running in? How did you create the certificate? How are you checking the root CA? – Ƭᴇcʜιᴇ007 Aug 18 '12 at 00:56
  • i used only this command: certmgr.exe -add -c mycertificate.cer -s -r localMachine root – Johnydep Aug 19 '12 at 19:55
  • and off course the script is a invoked java process running under admin privileges. – Johnydep Oct 06 '12 at 13:26

3 Answers3

4

The PowerShell command Import-Certificate can be used to import a certificate:

Import-Certificate -FilePath "C:\path\Cert.Cer" -CertStoreLocation cert:\CurrentUser\Root

To run it through the Command Prompt (or batch) you may run it as:

powershell "Import-Certificate -FilePath ^"C:\path\Cert.Cer^" -CertStoreLocation cert:\CurrentUser\Root"

Note above the use of the ^ escape character.

To list all available certificate stores, start a PowerShell session and enter:

dir cert:\\LocalMachine\
harrymc
  • 455,459
  • 31
  • 526
  • 924
  • does this solution avoid warnings on the browsers? – João Pimentel Ferreira Aug 25 '20 at 15:58
  • 1
    What kind of warnings? There shouldn't be any if the certificate is there. – harrymc Aug 28 '20 at 09:02
  • sometimes I install the certificates like that, but browsers still present security warnings. https://bytebitebit.com/1124/disable-invalid-ssl-certificate-warning/ – João Pimentel Ferreira Aug 28 '20 at 14:15
  • 1
    @JoãoPimentelFerreira: If you mean the invalid SSL certificate warning, why is it invalid? Problems like elapsed date can be worked around in some browsers but not all. Missing Root Certification Authority is much more serious. So which is it? – harrymc Aug 28 '20 at 14:20
  • how can I give you the bounty? It's quite odd. The first time I'm doing this because I created the bounty but I am not the OP. Stack Exchange rules are quite complex with all these time limits and restrictions. – João Pimentel Ferreira Sep 03 '20 at 12:58
  • 1
    @JoãoPimentelFerreira: Too late - your bounty has elapsed; it only lasts 7+1 days. Don't worry about it. – harrymc Sep 03 '20 at 12:59
  • but if remember correctly when I am the OP and the bounty creator, I can still attribute the bounty after that time period. It's unfair for you. – João Pimentel Ferreira Sep 04 '20 at 15:58
  • 1
    It sometimes happens. No problem on my side. – harrymc Sep 04 '20 at 16:10
2

Did you try it manually (by double-clicking on the CER file)? If even manually it's not working, you might be encountering a Vista bug.

Install a Root CA certificate from the command line (cmd.exe)

(This requires the Windows SDK. Visual Studio will install it for you and add it to the %PATH%.)

certmgr /add /c mycertificate.cer /s /r localMachine root

Note that no errors will be reported; the command will always return success (even when using a non-existing file for the certificate!). If the certificate doesn't show up in the Certificate Manager (certmgr.msc) after running this command, repeat the process using the manual steps below to check if there is any error in your certificate file.

Manual steps to install a Root CA certificate

  1. Double-click on the .cer file.
  2. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.
  3. On the Welcome page, click Next.
  4. On the Certificate Store page, select Place all certificates in the following store and click Browse.
  5. In the Select Certificate Store dialog box, select Show Physical Stores.
  6. Double-click Trusted Root Certification Authorities, select Local Computer, and then click OK.
  7. On the Certificate Store page, click Next.
  8. On the summary page, review the details and click Finish.

Install a Root CA certificate from PowerShell

See @harrymc's great answer below.

tricasse
  • 641
  • 4
  • 9
0

Powershell "Import-Certificate -FilePath 'C:\path\Cert.Cer' -CertStoreLocation Cert:\LocalMachine\Root"

The path location needs to have the ' rather than the " for cmd

Michael Bonello
  • 1