CertInstaller Tool

4/8/2010

The CertInstaller command line tool (CertInstaller.exe) enables applications to script certificate installation operations.

Note

Do not use the CertInstaller tool for standard certificate installation. Instead, click the certificates in the file explorer, as described in the Certificate Installer.

The CertInstaller tool (CertInstaller.exe) enables installation of certificates via various file formats:

  • .PFX/.P12 – Public-Key Cryptography Standards #12 (PKCS #12) format files that include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.
  • .CER – Base64-encoded or DER-encoded X.509 certificates that install into the intermediate and root certificate stores.
  • .P7B - Public-Key Cryptography Standards #7 (PKCS #7) format files that install multiple certificates to certificate stores on the device.

The primary use of the CertInstaller tool is to enable certificate deployment to devices in an environment that utilizes third party vendor PKI/enrollment. The CertInstaller tool installs certificates into the HKCU (Current user) “CA” and “ROOT” certificate stores while still running under SECROLE_USER_AUTH.

Syntax

certinstaller.exe [-p Password] [-silent] [-csp Provider] <CertFile> 

Parameters

  • -p Password
    The password to open the .PFX file.

    Note

    If you do not specify a password, the user will need to enter it in the Password UI.

    If the password has a space around it, enclose the password in double quotes. If the password contains double quotes or backslashes those must be escaped with a backslash. For example,

    My password -> “My password”

    My\password -> My\\Password

    My”Password -> My\”Password

    The best practice is to always double-quote the password, but it is only required when there is a space.

    MyPassword -> “MyPassword”.

  • -silent
    No UI will be shown from CertInstaller. However, if a root certificate is being added to the ROOT store, the user will receive a prompt to install the certificate.
  • -csp Provider
    Specifies the Cryptographic Service Provider to use.

    Note

    If you do not specify the Provider, the default provider in the registry will be used. If none is in the registry, the default provider, determined by CAPI, will be used.

  • CertFile
    Specifies the location and filename of the .PFX, .P12, .P7B or .CER file to import.

Remarks

The CertInstaller tool is required mostly for the following cases:

  • Adding an S/MIME decryption certificate to the device that is used across multiple machines that all access the same e-mail account
  • Deployments that cannot leverage Windows Mobile Certificate Enroll because they do not use a Windows Certificate Server
  • Some high security organizations that generate all private keys on a special key generation server

PKCS12 files include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.

See Also

Reference

Certificate Installer