Search This Blog

Wednesday, June 30, 2010

Automating Installing/Importing pfx (certificate) from command line (certutil) on remote servers.

note: Please also this article

A few days ago I had to sit and install a new certificate to a number of servers. These servers did not exist in an AD environment so using group policy was not an option.

However I thought I could some how script this. I have written a few batch files in the past to execute on a remote server and to do this I used the sysinternals tool psexec. So all I needed was how to import from the command line.

I found that certutil.exe ( a free ms tool) which appears to come with windows 2003 server+ could probably some how do what I wanted. However just using the help I could not see a command to import a pfx, however after trawling Google for a while I found that there is a command but it just does not appear to be list in the certutil help (certutil /?).

So I used the following command

certutil –f –p <passwordOfPfxFile> –importpfx <filelocation>

-f : force overwrite of certificate

-p: Password of the pfx file

This command will install the certificate into the personal store of the computer account. There are additional commands to install to other stores and locations, such as “–user My” which put it into the personal store if the user, and –addstore ca. Please look up these as I only include here as a quick reference.

This command worked a treat on the local machine, so now it was just a matter of getting it to run remotely.

psexec –u <username> –p <password> \\<servername> certutil -f –p <pfxpassword> –importpfx <pfx File Location>

-u: remote server username.

-p: remote server user password.

I used the psexec command and stored the pfx file in location accessible to all servers (a unc path).

Now all I needed to was to loop through all the servers, I did this by setting up a file with all the servers listed in it. Then created two batch files one to loop through the server list and pass each server to the second batch file which contained the psexec statement above.


FOR /F "tokens=1 delims= " %%G IN (.\serverlist.txt) DO batchFile2.bat %%G

This command loops through the serverlist.txt file, %%G will be the servername retrieved from the serverlist.txt file and then passed to the batchfile2.bat


psexec –u <username> –p <password> \\%1 certutil -f –p <pfxpassword> –importpfx <pfx File Location>

This command takes the first parameter passed to the file (%1, the servername) and runs it via psexec on the server.


Windows2000, I found that the certutil for windows2000 moaned about the –p parameter. I got round that by copying the following files from a windows 2003 server to a temporary location on the windows 2000 servers. the call to the certutil then had to be the full path (it couldnot rely on the system path).

certreq.exe, certutil.exe, certcli.dll, certadm.dll

psexec –u <username> –p <password> \\%1 c:\templocation\certutil -f –p <pfxpassword> –importpfx <pfx File Location>



  1. Thanks! I have been looking for way to do this in Powershell but certutil is much easier.

  2. You are most welcome. Thanks for the comment.

  3. Thanks, This article is great. I want to know one more thing. After installing pfx file, i want to give full access to "everyone" to that certificate. How can it be done through command prompt.Manually it can be done through -- Right click->All task->Manage private keys.. to that pfx file.

  4. Hi Jiten, I am afraid I don't know. Whenever I did this it installed to the computer account store, which I thought was open to all.
    Did you try looking at the options I specified in the article

    -user MY, -addstore .... , -delstore I think these might be what your after.

    However I also found this article,
    which uses powershell but seems to be what your asking. Hope it helps, let us know how you get on.


    1. Hi,

      very interessant article. Im looking for a solution to remote certutil that i can't for the moment. Have you an idea about these error ?

      DecodeFile returned Access is denied. 0x80070005 (WIN32: 5)
      CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5)
      CertUtil: Access is denied.

      When i ran certutil in local the certificate is successuflly added in the desired store. But when i launch my script form my pc, i've got an error.

      Details : pc = Windows 7, Powershell v2 runs as an admin with an admin domain account, target = Windows server 2003 Sp1. No ca services activated. It is a web server (iis). I have to add intermediate ca certificates.

  5. Did you notice while running psexec -u user -p password that psexec would complain and throw this error.

    Logon failure: unknown user name or bad password.

    if so how did you get around this. I have tried this with a domain admin and still get the error. However, with my local account that is also a local admin on the machine, it worked.