Certutil -addstore

HappyJackie
HappyJackie used Ask the Experts™
on
I am trying to use the certutil command in windows command line to add a certificate.  With this I am trying to install a certificate to the personal folder which can be seen in Microsoft Management Console (MMC).  I have gotten far enough to where the command completes successfully but, I am not sure where it is importing the certificate to because it is not in the personal folder in MMC.  Here is successfully message the certutil gives me.

I understand that this is a random certificate to add but, it is just a test for me.  Because the real cetificate has to be loaded on a different network.  Also here is the link to the AOL certificate https://pki-info.aol.com/AOL/.
---------------------------------------------------------------------------------------------------------------------------------------------
Personal
Signature matches Public Key
Related Certificates:

Exact match:
Element 0:
Serial Number: 01
Issuer: CN=America Online Root Certification Authority 1, O=America Online Inc.,
 C=US
NotBefore: 5/28/2002 1:00 AM
NotAfter: 11/19/2037 3:43 PM
Subject: CN=America Online Root Certification Authority 1, O=America Online Inc.
, C=US
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 39 21 c1 15 c1 5d 0e ca 5c cb 5b c4 f0 7d 21 d8 05 0b 56 6a

Certificate "CN=America Online Root Certification Authority 1, O=America Online
Inc., C=US" already in store.
CertUtil: -addstore command completed successfully.
---------------------------------------------------------------------------------------------------------------------------------------------

certutil -addstore -f -enterprise Personal "C:\Users\Jack\Desktop\certificate import\AMericaOnline1.der"

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cryptographic Engineer
Commented:
There's a few things off about that.  See code snippet for what you are probably looking for.  Here's a few comments about what went wrong, too.

1) For the user context, you need to add "-user" as the first switch.  Without it, it will go to the machine store.

2) The Personal store should be referred to as "My" instead of "Personal"

3) Leave out the '-enterprise" switch unless you are dealing with smartcard logon certificates.  This should be used with the "Trust" store name (Enterprise Trust in the GUI) and may be used with or without the -user context, as explained above.
Add to user's Personal store:
certutil -user -addstore My %filename.cer"
 
Add to machine's Personal store (so it is common to all users):
certutil -addstore My %filename.cer"
 
Add to Trusted Root Certificate Authorities for all users:
certutil -addstore Root %filename.cer"
 
Add to Intermediate Certificate Authorities for all users:
certutil -addstore CA %filename.cer"
 
Add to user's Enterprise Trust store, typically used for the root certificate (in addition to normal trusted root store) for CAs that issue smartcard logon certificates:
certutil -user -enterprise -addstore Trust %filename.cer%

Open in new window

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Please replace   %filename.cer"  with   "%filename.cer%"    in each example.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial