Sunday, March 29, 2015

Add public certificates by certutil

There are many way to add public certificates to Trusted Root Certification Authorities or Intermediate Certification Authorities like PowerShell, Group Policy, VBscript or so on. This time, I'd like to use the old tool, certutil. certutil is a build-in tool of Windows after Windows Vista or later. To use certutil on Windows Server 2003, we need to install admin pack or just copy certadm.dll and certutil.exe to Windows Server 2003 computers.

Why do we use certutil to add public certificates to computers?

1. The computers don't support PowerShell to import certificates (Import-Certificate cmdlet).
2. The computers aren't joined to the domain.
3. To use VBscript, we need to register CAPICOM.dll to destination computers before performing the VBscript.
4. Prevent human mistake to add public certificate to the wrong store.

How to import public certificates by certutil?
Then, we can perform certutil -f -addsotre <Store Name> <Public certificate location> on Command Prompt to add the public certificate to the certificate store of the computer.

certutil -f -addstore root C:\RootCA.cert to add the public certificate to Trusted Root Certification Authorities

certutil -f -addstore CA C:\InterCA.cert to add the public certificate to Intermediate Certification Authorities

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment