Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Command line tool to import pfx file to current user my store?

800 views
Skip to first unread message

Joe Kaplan

unread,
Dec 1, 2006, 6:58:06 PM12/1/06
to
Hi guys,
 
I've been trying to figure out which one of the various certificate management command line tools, namely certmgr.exe and certutil.exe, can be used to import a certificate and private key into the current user "my" store and also set the password and exportability flags.  Can either of these do this or is there another CL tool that can? 
 
I realize I can write cryptoAPI code to do this using PFXImportCertificate and such, but I'd rather not bother if I don't have to as a command line tool would suit me fine.  I'm usually pretty good at figuring this type of stuff out, but I can't quite figure out if either of these tools is actually intended to do this or not.
 
Thanks in advance!
 
Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Andy

unread,
Dec 13, 2006, 4:50:31 AM12/13/06
to
WinHttpCertCfg.exe  does what you require with the added bonus of being able to assign permissions to the private key.
 
 
Andy Kendall

Joe Kaplan

unread,
Dec 13, 2006, 11:34:56 AM12/13/06
to
Cool, thanks. I would not have thought to look there. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

<Andy> wrote in message news:umn3z1pH...@TK2MSFTNGP04.phx.gbl...

Mitch Gallant

unread,
Dec 13, 2006, 12:34:46 PM12/13/06
to
note sure if CAPICOM vbs sample "Cstore.vbs" fits your needs .. here is some
info:

Usage: CStore Import [Options] CertFile [Password]

The Import command is used to import certificate(s) from a certificate file
(.CER, .SST, .P7B, .PFX, etc.) to a store. You can use the filtering
option(s)
to narrow down the set of certificate(s) to be imported.

Options:

-l <location> -- CU or LM (default to CU)
-s <store> -- My, CA, AddressBook, Root, etc. (default to
My)
-e -- Mark private key as exportable (PFX only)
-p -- Mark private key as user protected (PFX
only)
Note: The DPAPI dialog will be displayed
-v <level> -- Verbose level, 0 for normal, 1 for detail
2 for UI mode (default to level 0)
-? -- This help screen

CertFile -- Certificate file to be imported

Password -- Password for PFX file

Note: All non-fatal invalid options for this specific command will be
ignored.

- Mitch Gallant
MVP Security

"Joe Kaplan" <joseph....@removethis.accenture.com> wrote in message

news:%23vkngSt...@TK2MSFTNGP02.phx.gbl...

Joe Kaplan

unread,
Dec 13, 2006, 3:09:51 PM12/13/06
to
Thanks, Mitch. I thought about CAPICOM. However, my problem is that I need
this to run from within a Windows Installer package and therefore have to be
very careful about deployment dependencies. I don't have an easy way to
ensure that CAPICOM is deployed and registered, so that might make this more
difficult. That's why I was looking for a simple command line tool.
Ideally, I'd have a custom action DLL that just uses CAPI that is designed
to interact with Windows Installer, but that is asking a lot and would be a
bunch of heavy lifting for me.

I'll play around with it though and see what can be made to work.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

"Mitch Gallant" <jens...@community.nospam> wrote in message
news:OzVIM0tH...@TK2MSFTNGP04.phx.gbl...

Mitch Gallant

unread,
Dec 13, 2006, 4:49:21 PM12/13/06
to
Yup I understand.
That being said, the cab installer for CAPICOM is quite tiny and doesn't
require a reboot:
http://www.jensign.com/capicom2install
- Mitch

"Joe Kaplan" <joseph....@removethis.accenture.com> wrote in message

news:eNCwmKvH...@TK2MSFTNGP03.phx.gbl...

Joe Kaplan

unread,
Dec 13, 2006, 6:43:56 PM12/13/06
to
Cool, I might try that. Given that I will probably use Windows Installer
for my overall packaging, I might try to find a merge module for it too.
The main thing I worry about is a chicken and egg problem of having to make
sure my custom code that uses CAPICOM runs AFTER CAPICOM gets installed.

Anyway, I'll come back to this if I can use it.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mitch Gallant" <jens...@community.nospam> wrote in message

news:OkWapCwH...@TK2MSFTNGP04.phx.gbl...

0 new messages