The CertInstaller command line tool (CertInstaller.exe) enables applications to script certificate installation operations.
Do not use the CertInstaller tool for standard certificate installation. Instead, click the certificates in the file explorer, as described in the Certificate Installer.
The CertInstaller tool (CertInstaller.exe) enables installation of certificates via various file formats:
- .PFX/.P12 – Public-Key Cryptography Standards #12 (PKCS #12) format files that include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.
- .CER – Base64-encoded or DER-encoded X.509 certificates that install into the intermediate and root certificate stores.
- .P7B - Public-Key Cryptography Standards #7 (PKCS #7) format files that install multiple certificates to certificate stores on the device.
The primary use of the CertInstaller tool is to enable certificate deployment to devices in an environment that utilizes third party vendor PKI/enrollment. The CertInstaller tool installs certificates into the HKCU (Current user) “CA” and “ROOT” certificate stores while still running under SECROLE_USER_AUTH.
certinstaller.exe [-p Password] [-silent] [-csp Provider] <CertFile>
The password to open the .PFX file.
If you do not specify a password, the user will need to enter it in the Password UI.
If the password has a space around it, enclose the password in double quotes. If the password contains double quotes or backslashes those must be escaped with a backslash. For example,
My password -> “My password”
My\password -> My\\Password
My”Password -> My\”Password
The best practice is to always double-quote the password, but it is only required when there is a space.
MyPassword -> “MyPassword”.
No UI will be shown from CertInstaller. However, if a root certificate is being added to the ROOT store, the user will receive a prompt to install the certificate.
Specifies the Cryptographic Service Provider to use.
If you do not specify the Provider, the default provider in the registry will be used. If none is in the registry, the default provider, determined by CAPI, will be used.
Specifies the location and filename of the .PFX, .P12, .P7B or .CER file to import.
The CertInstaller tool is required mostly for the following cases:
- Adding an S/MIME decryption certificate to the device that is used across multiple machines that all access the same e-mail account
- Deployments that cannot leverage Windows Mobile Certificate Enroll because they do not use a Windows Certificate Server
- Some high security organizations that generate all private keys on a special key generation server
PKCS12 files include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.