Import Certificate to Trusted Root but not to Personal [Command Line] - windows

I am trying to import two certificates to my local machine using the command line.
I have one certificate to add to the Personal Store of the local machine, and another one to add to the Trusted Root Certification Authorities.
Here is the command to had to Personal Store and not to add at root:
certutil -f -importpfx CA.pfx NoRoot
And to add at Trusted Root and not personal ? Is there any tag ? I didn't found at command help "/?"

Look at the documentation of certutil.exe and -addstore option.
I tried
certutil -addstore "Root" "c:\cacert.cer"
and it worked well (meaning The certificate landed in Trusted Root of LocalMachine store).
EDIT:
If there are multiple certificates in a pfx file (key + corresponding certificate and a CA certificate) then this command worked well for me:
certutil -importpfx c:\somepfx.pfx
EDIT2:
To import CA certificate to Intermediate Certification Authorities store run following command
certutil -addstore "CA" "c:\intermediate_cacert.cer"

The below 'd help you to add the cert to the Root Store-
certutil -enterprise -f -v -AddStore "Root" <Cert File path>
This worked for me perfectly.

To print the content of Root store:
certutil -store Root
To output content to a file:
certutil -store Root > root_content.txt
To add certificate to Root store:
certutil -addstore -enterprise Root file.cer

If there are multiple certificates in a pfx file (key + corresponding certificate and a CA certificate) then this command worked well for me:
certutil -importpfx c:\somepfx.pfx
this works but still a password is needed to be typed in manually for private key.
Including -p and "password" cause error too many arguments for certutil on XP

There is a fairly simple answer with powershell.
Import-PfxCertificate -Password $secure_pw -CertStoreLocation Cert:\LocalMachine\Root -FilePath certs.pfx
The trick is making a "secure" password...
$plaintext_pw = 'PASSWORD';
$secure_pw = ConvertTo-SecureString $plaintext_pw -AsPlainText -Force;
Import-PfxCertificate -Password $secure_pw -CertStoreLocation Cert:\LocalMachine\Root -FilePath certs.pfx;

Related

open certmgr.msc from commanf line on localMachine

I need to start "certmgr.msc" from "cmd.exe" on "localMachine" repository so that I can import\export certificates.
I have tried the following commands but the "certmgr.msc" keeps opening on "currentUser".
certmgr.msc -s -r localMachine root
mmc.exe certmgr.msc -s -r localMachine root
certmgr.msc -v -s -r localMachine my
This should do it
"C:\WINDOWS\SYSTEM32\MMC.EXE" "C:\WINDOWS\SYSTEM32\CERTLM.MSC"
Create custom console by adding Certificate snapin and targeting it to local computer. Then save this console to .mmc file.
You can refer this saved file in command line. Can also distribute this custom console to other machines.
Below should start MMC console with both nodes CurrentUser & Local Computer
certificates.msc
mmc.exe certlm.msc -s -r localMachine root
It should work - Tested on win2012r2

How to Import a Certificate from Windows into Firefox

I need to script the export of a cert from our Windows store into Firefox. I am having trouble getting the cert into the correct "container". The certificate, as generated from a command line as well, is a .pfx file with a password. I can manually import the cert into Firefox under the "Your Certificates" tab of the Certificate Manager. However, when I run the command line, it dumps the cert under the tab labeled "Others" and the website we're trying to access either can't find the cert there or there's a problem with the import itself.
My first couple of attempts failed with errors, but following up on them I found a site that suggested I convert the .pfx file to a .pem file. I followed those instructions and the command line now runs without error. The other thing to note here is using the GUI, I cannot import the .PEM file, but I can import the .PFX file.
Assuming that the .pem file is encoded and formatted correctly, how can I get this line of code to put the cert into the right container?
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.pem
(I added the '-f' argument in case its needed to import the password protected file. I've run this both with and without it and got the same results.)
I also exported the cert in a .cer format.
Here are some other attempts and results:
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.pfx
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.cer
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
(Although, dropping the '-a' argument allowed this command to complete without error.)
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -f pword.txt -i CertEric.pfx
certutil: could not obtain certificate from file: security library: invalid arguments.
(This one uses the .pfx file and drops the '-a' argument)
Any ideas? Thanks for your time.
Eric
I just posted a solution to StackOverflow that you might find helpful.
Our certificates are in .cer format and work fine
Programmatically Install Certificate into Mozilla

Issue with creating certificate request through MQ runmqckm

I'm trying to create certificate request through below command line and returned with error:
./runmqckm -certreq -create -db
/var/mqm/qmgrs/QMGR01/ssl/sslreceiver.kdb -pw password123 -label
ibmwebspheremqsslreceiver -dn "CN=SSLCLIENT,O=IBMIBM,C=US" -file
/var/mqm/sslreceiverreq.arm
The keystore already contains an entry with label
'ibmwebspheremqsslreceiver'.
Choose a different label and try again.
However, there is no such entry as ibmwebspheremqsslreceiver in my current keystore file,
**#/usr/mqm/bin $ ./runmqckm -cert -list -db
/var/mqm/qmgrs/QMGR01/ssl/sslreceiver.kdb -pw password123
Certificates in database /var/mqm/qmgrs/QMGR01/ssl/sslreceiver.kdb:
ssl_ca
So why this happened?
The first command creates a certificate request.
The second command lists certificates.
If you want to list certificate requests, use the -certreq -list command instead of the -cert -list command.

Using an XP batch file to import a p12 certificate into the Certificates (Local Computer) \personal store

I'm trying to use a windows XP batch file to automate importing .p12 certificates into what the MMC "Certificates" snap-in calls
Certificates (Local Computer) \Personal\Certificates
certmgr.msc might be the right tool for this purpose, but I have tried
a:\certmgr.msc /add /c /s /r localMachine a:\<certname>.p12
importpfx -f a:\certs\<certname>.* -p <cert pw> -t MACHINE -s My
And a few others without success. Usually, the MMC just opens with the certificates snap in. I've not seen any certs actually moved or imported anywhere as a result.
I've also tried the cert path\name without the environmental variable and wild card, but the certs I get may or may not simply be the workstation name.p12..
Any suggestions?
-Clay
The below code worked for me on Windows 8 and Windows Server 2012 R2.
I used the below command in my batch file:
certutil -f -sid 22 -p [Password1] -importpfx "My" "%~dp0\whatever.pfx" NoRoot
-sid WELL_KNOWN_SID_TYPE -- Numeric SID
22 -- "Local System", 23 -- "Network Service", 24 -- "Local Service"

makecert gives "Fail to acquire a security provider from the issuer's certificate" - why?

Dear ladies and sirs.
Observe this simple batch file:
makecert -n "CN=MyCA" -sr localmachine -ss root -a sha1 -cy authority -r -sv MyCA.pvk MyCA.cer
del MyCA.pvk
del MyCA.cer
makecert -n "CN=il-mark-lt" -sr localmachine -ss my -cy end -pe -sky exchange -a sha1 -is root -ir localmachine -in MyCA
However, the last makecert fails with the following error message:
Error: Fail to acquire a security provider from the issuer's certificate
How do I troubleshoot it? Any ideas? BTW, the first makecert succeeds. Of course, I delete it again, before running the commands again.
Thanks.
EDIT1
I understood the reasons for the failure. The second command expects the file MyCA.pvk to exist, but I do not want to keep it around. So, what can I do?
Just leave out the -sv MyCA.pvk part. It should still generate a private key and store it normally and not as a pvk file and it should be found by makecert ... -in MyCA.1
I was getting this error because I didn't start the command line with Admin privileges.
I guess the error is something of a misnomer in this case.
The problem is the first command, you are creating a self signed certificate and adding it to the Trusted Root store of the Local Machine account (but you probably know that). But you're also creating files for the public and private keys for the certificate, the .pvk and .cer files.
The second command is creating another certificate, this time not a self signed one but signed by the first certificate. In order to sign a certificate you need both the public and the private key of the issuer (CN=MyCA), you are instructing makecert to look for the issuer public key in the Local Machine Trusted Root Certificate store, that's fine, but you don't have the private key anymore, since MyCA.pvk was deleted.
If you don't specify file names for the private and public keys on the first command, i.e. do not include the -sv MyCA.pvk parameter and MyCA.cer, both the public and private keys will be added to the store. That means there will be no need to delete files because they won't be generated.
Also, if you open a management console, press [WIN]+[R] type mmc [Return], go to File -> Add/Remove Snap in -> Select "Certificates" -> "Add" -> "Computer Account" and then navigate the tree to Trusted Root Certificates\Certificates you will find MyCA in the left pane. You'll notice a small key on the icon and if you double click the certificate a message at the bottom of the General tab properties will state "You have a private key that corresponds to this certificate". That means you can use that certificate to sign a new one, like you're trying to do in with the second command.

Resources