Home/ Questions/Q 9242593
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T08:36:44+00:00

I am trying to install a certificate for a website on multiple machines through

  • 0

I am trying to install a certificate for a website on multiple machines through a login script. Is this possible or what is the best option? I am most familiar with Batch scripts, if someone has one already working that would be the best option for me, otherwise I can call a vbs in a login script.

I have tried to just call the cert, but there are options for it, I need it to go to Truster Publisher so that the activeX controls are loaded w/o prompts for the user.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have actually had the same problem in the past… You will want to explore the following command:

    certutil.exe

    This command allows you to install certificates via command line.

    certutil.exe -addstore -f "TrustedPublisher" "<Location_of_Certificate>"

    The previous command will get you what you need, just replace the "<Location_of_Certificate>" with the actual location and file name of the certificate.

    Using the ‘ -f ‘ option is a little bit overkill in some instances, but I did script out a way to check if the certificate is already installed FIRST. If it is then I skip trying to run this portion, because you can actually install multiple certificate stores, which is messy.

    To achieve this, first you will need to know the publisher’s name. The way I did this was I installed the Cert on a computer manually, then I ran the following command:

    certutil.exe -store trustedpublisher

    This should get you the list of ALL your trusted publishers. Now find the one you need in the list… you will see something like the following (I’m using Microsoft Root Authority as an example):

    Serial Number: xxxx11dxxxx8ffexxxx
    Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation,
    OU=Copyright (c) 1997 Microsoft
    Corp. NotBefore: 10/1/1997 2:00 AM NotAfter: 12/31/2002 2:00 AM
    Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft
    Corporation, OU=Microsoft Windows Hardware Compatibility Intermediate
    CA, OU=Copyright (c) 19 97 Microsoft Corp. Non-root Certificate
    Template: Cert Hash(sha1): xx xx 1c xx xx 45 xx xx b3 xx xx 94 xx xx
    7c 74 07 33 03 1c No key provider information Cannot find the
    certificate and private key for decryption.

    Now that you have the Issuer of the Cert exactly like it will be listed you can perform the check:

    certutil.exe -store trustedpublisher | findstr "Microsoft Root Authority"

    Now that should give you back some of the same info you saw in the original listing. This is what I do to handle the process from start to finish (NOTE I add the cert to both trusted publisher and CA):

    :importCertRoot
verify >nul
certutil.exe -store trustedpublisher | findstr "Microsoft Root Authority"  
IF '%ERRORLEVEL%'=='0' goto importCertLocal
verify >nul
certutil.exe -addstore -f "TrustedPublisher" "<Location_of_Certificate>\<CertName.cer>"
goto importCertLocal

:importCertLocal
verify >nul
certutil.exe -store CA | findstr "Microsoft Root Authority"  
IF '%ERRORLEVEL%'=='0' goto exit
verify >nul
certutil.exe -addstore -f "CA" "<Location_of_Certificate>\<CertName.cer>"
goto next

    I hope this helps you out

    • 0