Installation of a Certificate
Question:
I need to automate the installation of a certificate to the current users local machine store.
Does anyone know what would be the best method to do this that does not require GUI interaction?
Answer:
Install Microsoft Authenticode certificate
Now you need to install your certificate. The process to install the certificate depends on the certificate file type.
.PFX Certificate File
Windows 7 has a certificate installation wizard that can be invoked by simply double clicking on the .pfx file. Using the Wizard,
installing a code signing certificate can be done in less than a minute.
.SPC and .PVK Certificate Files
In order to move your certificate and private key to the registry Microsoft has
created a tool called PVKIMPRTt, which can be used to copy the .spc and .pvk files to the registry. Moving the certificate
and private key to the registry allows you to sign your WinBatch exes.
Download the PVK Digital Certificate Files Importer:
[ Download PVKIMPRT ]
Please read the usage instructions after downloading pvkimprt from Microsoft.
The pvkimprt.exe file that you downloaded from Microsoft is a self-extracting archive which, when executed without
any options, will install the real 'pvkimprt.exe' into a directory on your path.
Winbatch offers a script to handle the install and import for you. The InstallCodeSignCertificate.wbt located
in your WinBatch\Samples subdirectory. Note: this script requires that you have already downloaded and installed the
pvkimprt.exe from Microsoft.
[ Download InstallCodeSignCertificate.wbt ]
Otherwise you can use PVKIMPRT via the windows commandline. Go to the START|Run menu CMD.EXE then type:
C:\WINDOWS\PVKIMPRT.EXE -IMPORT "{SPC file path}" "{PVK file path}"
- You will then be prompted to enter your 'Private Key Password'. Press 'OK'.
- It will then launch the Certificate Import Wizard. Press 'Next'.
- Select 'Automatically select the certificate store based on the type of certificate'. Press 'Next' then press 'Finish'
- You will get a message that the import was completed.
How do I know if the Certificate is installed?
You have a few options to determine whether or not a certificate has been successfully
installed.
Using Certmgr.msc
CertMgr is a Microsoft Management Console (MMC) snap-in that Allows you to view and
manage information about certificates, such as certificate contents and the certification
path. It also allows you to specify the friendly name for a certificate.
Using Internet Explorer
- Launch Internet Explorer
- Select the 'Tools'|'Internet Options' menu.
- Select the 'Content' tab.
- Press the 'Certificates' button.
- Select the 'Personal' tab.
Give Certificate a Friendly Name
You can view and manage the root certificates on your computer by using either the
InternetExplorer or Certmgr.msc. Locate your desired certificate under the Trusted
Root Certification Authorities tab and click View and then the Details tab. Select
the Friendly Name field and click Edit Properties. There you can change the Friendly
Name.
See Also:
"CERTMGR" utility. You will have to copy the certificate to the local machine and import it using
certmgr. This utility can be called from the script and has a bunch of command line switches which will accompish what
you need. Shell out to a dos prompt and type "certmgr /?" for syntax.
Here's the way I used it.
certmgr -add -c mycert.cer -s -r localMachine root
See
http://msdn.microsoft.com/en-us/library/e78byta0(VS.80).aspx
Article ID: W16375
File Created: 2019:08:14:08:52:02
Last Updated: 2019:08:14:08:52:02