3

Using inetmgr, I made a pfx file containing the public and private keys for a certificate. Now I'm trying to install the pfx into another machine from the command prompt with

certutil -p <password> -importpfx root <path_to_pfxfile>

Unfortunately, this is only importing the public key. If I use the certmgr snap-in I can import both keys, but I need to be able to automate this. Can anybody help?

I say Reinstate Monica
  • 25,487
  • 19
  • 95
  • 131
user1058410
  • 33
  • 1
  • 1
  • 3
  • The `Import-PfxCertificate` PowerShell command will probably do what you want. I'm not in a position to test this right now, but the documentation is here: https://technet.microsoft.com/en-us/library/hh848625(v=wps.630).aspx – Crippledsmurf Sep 11 '15 at 23:13
  • Thanks. I'll try it on Monday. Post it as an answer, and if it works i'll pick it. – user1058410 Sep 12 '15 at 05:15

2 Answers2

4

The Import-PfxCertificate PowerShell command will probably do what you want. .

This would import the certificate(s) and keys stored in my.pfx file into the Trusted Root Certificate Authorities certificate store for the local machine.

Import-PfxCertificate –FilePath C:\mypfx.pfx cert:\localMachine\Root -Password $password

You may need to experiment a bit to find the name used for the certificate store of interest. I did this by copying the thumbprint of a certificate in the relevent store from the UI, removing spaces and then running

ls|where {$_.Thumbprint -eq "<thumprint value here, with spaces removed>"}

Which gave me this as part of the output.

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Crippledsmurf
  • 1,532
  • 11
  • 17
  • This answer was a life saver for me. Tip about finding available cert stores: From Powershell: `PS> ls cert:\ ` will show list of top level dirs, e.g., `CurrentUser` and `LocalMachine`. Any user can write to `cert:\CurrentUser` but `cert:\LocalMachine` requires special permissions. Include arg `-Exportable` if you need to access private key later. For password, try: `-Password (ConvertTo-SecureString "your-password-here" -AsPlainText -Force)` – kevinarpe Jan 05 '23 at 13:13
0

certutil does not import the private key. You'll have to use another tool such as pk12util.

This question has been already answered. Please attempt to find a solution to your problem before asking a question.

See this answer: https://serverfault.com/questions/647658/how-to-add-an-existing-key-to-the-certutil-key-database

And this answer: https://stackoverflow.com/questions/27161403/how-to-setup-dart-to-use-a-ca-ssl-certificate/27176982#27176982

Community
  • 1
Alex G.
  • 81
  • 8
  • I should have been more specific. The other machine is really a windows azure web role, and I need the certificate imported when the role starts up. So using open-ssl tools are not an option. – user1058410 Sep 12 '15 at 05:18