How can I install a .pfx ssl certificate so that all users in a citrix / terminal services environment have access to it?

Hello all. I need to install a .pfx certificate for all users. The
problem: when I install it, it is only available for the user who
installed, not for the rest.

Can this be done installing the .pfx one time only, or do I have to
install the same certificate for EVERY user??? If so, any ideas about how
can I automate the installation of the certificate for every user?

The environtment is W2K3-SP2, CPS4.5.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

We use certutil to import our certificate.  We're doing a .cer, though you should be able to do a .pfx as well.  Upon user logon a batch file executes with the command below.  

c:\certutil\certutil.exe -addstore root c:\certutil\svcert.cer

You'll need to modify the paths at the least.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Carl WebsterCommented:
Follow these instructions to import the .pfx file

open mmc, (start>run>mmc) and open the certificates snap in.

Select "local computer account" when prompted

You will then see on the left, certificates, please select the "personal" folder.

Right click the "personal" folder and select all "tasks>Import"

Find the .pfx file you saved previously and import the certificate and private key into the MMC
ppsditAuthor Commented:
Carl, Thank you for your insight.  I am a bit confused however, where are you suggesting that I run this procedure?  On each citrix server?  Would that be available for all users?

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Carl WebsterCommented:
Yes, on each Citrix server.  Since you are using the local computer it _should_ install for all users.  I have seen other Citrix foum postings that say this will need to be done for every user.
ppsditAuthor Commented:
Unfortunately I do not see the cretificate in IE when I install it the way you described, Carl.  And when I go to the site Ithat the cert is for, it says it can't find a certificate.
Any idea why that might be?
ppsditAuthor Commented:
the following script works perfectly:
c:\windows\system32\certutil -user -p password -importpfx -f \\server\path\cert.pfx
however it only works for local/domain administrators.

When I try running this as a logon script via group policy it does not correctly add the certificate to the personal store of the local user (and there is no enty in the certutil.log file).
When I try running as an admin user it does not seem to add the cert to the personal store.

Any advice would be greatly appreciated.

Carl WebsterCommented:
Try CAPICOM from Microsoft:

then use the cstore.vbs in a batch file to import the certificate.
ppsditAuthor Commented:
Thank you for your suggestions.  In the end, I couldn't spend much more time on this.  The CAPICOM option seems promising but I decided I needed to find a different solution.
This is what I did:
I downloaded a fully encpsulated thinapp version of firefox from
I am easily able to manually add the certificates to each users' profile in firefox (I was able to do so in IE but the page would not display properly).  I have not yet figured out how to do so with a script but since I was just going to publish that thinapp via citrix to about a dozen users, so I did it manually this time.  Thank you for all your help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.